iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Laura Abbott 8b89affb42 sunrpc: Don't use stack buffer with scatterlist 
[ Upstream commit 44090cc876926277329e1608bafc01b9f6da627f ]

Fedora got a bug report from NFS:

kernel BUG at include/linux/scatterlist.h:143!
...
RIP: 0010:sg_init_one+0x7d/0x90
..
  make_checksum+0x4e7/0x760 [rpcsec_gss_krb5]
  gss_get_mic_kerberos+0x26e/0x310 [rpcsec_gss_krb5]
  gss_marshal+0x126/0x1a0 [auth_rpcgss]
  ? __local_bh_enable_ip+0x80/0xe0
  ? call_transmit_status+0x1d0/0x1d0 [sunrpc]
  call_transmit+0x137/0x230 [sunrpc]
  __rpc_execute+0x9b/0x490 [sunrpc]
  rpc_run_task+0x119/0x150 [sunrpc]
  nfs4_run_exchange_id+0x1bd/0x250 [nfsv4]
  _nfs4_proc_exchange_id+0x2d/0x490 [nfsv4]
  nfs41_discover_server_trunking+0x1c/0xa0 [nfsv4]
  nfs4_discover_server_trunking+0x80/0x270 [nfsv4]
  nfs4_init_client+0x16e/0x240 [nfsv4]
  ? nfs_get_client+0x4c9/0x5d0 [nfs]
  ? _raw_spin_unlock+0x24/0x30
  ? nfs_get_client+0x4c9/0x5d0 [nfs]
  nfs4_set_client+0xb2/0x100 [nfsv4]
  nfs4_create_server+0xff/0x290 [nfsv4]
  nfs4_remote_mount+0x28/0x50 [nfsv4]
  mount_fs+0x3b/0x16a
  vfs_kern_mount.part.35+0x54/0x160
  nfs_do_root_mount+0x7f/0xc0 [nfsv4]
  nfs4_try_mount+0x43/0x70 [nfsv4]
  ? get_nfs_version+0x21/0x80 [nfs]
  nfs_fs_mount+0x789/0xbf0 [nfs]
  ? pcpu_alloc+0x6ca/0x7e0
  ? nfs_clone_super+0x70/0x70 [nfs]
  ? nfs_parse_mount_options+0xb40/0xb40 [nfs]
  mount_fs+0x3b/0x16a
  vfs_kern_mount.part.35+0x54/0x160
  do_mount+0x1fd/0xd50
  ksys_mount+0xba/0xd0
  __x64_sys_mount+0x21/0x30
  do_syscall_64+0x60/0x1f0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

This is BUG_ON(!virt_addr_valid(buf)) triggered by using a stack
allocated buffer with a scatterlist. Convert the buffer for
rc4salt to be dynamically allocated instead.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1615258
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-09-15 09:45:26 +02:00
..
6lowpan
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
9p
net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
2018-09-09 19:55:55 +02:00
802
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
8021q
net: fix use-after-free in GRO with ESP
2018-07-22 14:28:44 +02:00
appletalk
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
atm
atm: Preserve value of skb->truesize when accounting to vcc
2018-07-22 14:28:43 +02:00
ax25
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
batman-adv
batman-adv: Fix multicast TT issues with bogus ROAM flags
2018-08-24 13:09:05 +02:00
bluetooth
Bluetooth: avoid killing an already killed socket
2018-08-22 07:46:11 +02:00
bpf
bridge
netfilter: ebtables: reject non-bridge targets
2018-07-22 14:28:49 +02:00
caif
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
2018-09-05 09:26:27 +02:00
can
can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
2018-01-23 19:58:17 +01:00
ceph
libceph, ceph: avoid memory leak when specifying same option several times
2018-05-30 07:52:04 +02:00
core
bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog()
2018-09-05 09:26:30 +02:00
dcb
rtnetlink: make rtnl_register accept a flags parameter
2017-08-09 16:57:38 -07:00
dccp
dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
2018-08-22 07:46:08 +02:00
decnet
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-02-25 11:07:52 +01:00
dns_resolver
KEYS: DNS: fix parsing multiple options
2018-07-22 14:28:49 +02:00
dsa
net: dsa: Do not suspend/resume closed slave_dev
2018-08-06 16:20:48 +02:00
ethernet
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
hsr
net/hsr: Check skb_put_padto() return value
2017-08-22 13:40:23 -07:00
ieee802154
net: 6lowpan: fix reserved space for single frames
2018-09-09 19:55:52 +02:00
ife
net: sched: ife: check on metadata length
2018-04-29 11:33:13 +02:00
ipv4
tcp: do not restart timewait timer on rst reception
2018-09-15 09:45:25 +02:00
ipv6
vti6: remove !skb->ignore_df check from vti6_xmit()
2018-09-15 09:45:25 +02:00
ipx
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
iucv
net/iucv: Free memory obtained by kzalloc
2018-03-31 18:10:41 +02:00
kcm
kcm: Fix use-after-free caused by clonned sockets
2018-06-11 22:49:19 +02:00
key
af_key: Always verify length of provided sadb_key
2018-06-16 09:45:14 +02:00
l2tp
l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache
2018-08-22 07:46:08 +02:00
l3mdev
lapb
net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
llc
llc: use refcount_inc_not_zero() for llc_sap_find()
2018-08-22 07:46:08 +02:00
mac80211
mac80211: add stations tied to AP_VLANs during hw reconfig
2018-09-05 09:26:23 +02:00
mac802154
net: mac802154: tx: expand tailroom if necessary
2018-09-09 19:55:52 +02:00
mpls
mpls, nospec: Sanitize array index in mpls_label_ok()
2018-02-22 15:42:28 +01:00
ncsi
net/ncsi: Fix length of GVI response packet
2017-10-21 01:56:38 +01:00
netfilter
netfilter: nf_tables: don't allow to rename to already-pending name
2018-09-05 09:26:27 +02:00
netlabel
netlabel: If PF_INET6, check sk_buff ip header version
2018-05-30 07:52:40 +02:00
netlink
netlink: Don't shift on 64 for ngroups
2018-08-09 12:16:38 +02:00
netrom
net, netrom: convert nr_node.refcount from atomic_t to refcount_t
2017-07-04 22:35:17 +01:00
nfc
net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
2018-07-22 14:28:49 +02:00
nsh
nsh: set mac len based on inner packet
2018-07-22 14:28:49 +02:00
openvswitch
openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
2018-05-19 10:20:24 +02:00
packet
packet: refine ring v3 block size test to hold one frame
2018-08-24 13:09:22 +02:00
phonet
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
psample
MAINTAINERS: Update Yotam's E-mail
2017-11-01 12:19:03 +09:00
qrtr
net: qrtr: Broadcast messages only from control port
2018-08-24 13:09:13 +02:00
rds
rds: avoid unenecessary cong_update in loop transport
2018-07-22 14:28:49 +02:00
rfkill
rfkill: gpio: fix memory leak in probe error path
2018-05-16 10:10:26 +02:00
rose
rxrpc
rxrpc: Fix user call ID check in rxrpc_service_prealloc_one
2018-08-06 16:20:48 +02:00
sched
net: sched: action_ife: take reference to meta module
2018-09-15 09:45:26 +02:00
sctp
sctp: hold transport before accessing its asoc in sctp_transport_get_next
2018-09-15 09:45:25 +02:00
smc
net/smc: no shutdown in state SMC_LISTEN
2018-08-24 13:09:22 +02:00
strparser
strparser: Remove early eaten to fix full tcp receive buffer stall
2018-07-22 14:28:47 +02:00
sunrpc
sunrpc: Don't use stack buffer with scatterlist
2018-09-15 09:45:26 +02:00
switchdev
net: switchdev: Remove bridge bypass support from switchdev
2017-08-07 14:48:48 -07:00
tipc
tipc: fix a missing rhashtable_walk_exit()
2018-09-15 09:45:25 +02:00
tls
sock: fix sg page frag coalescing in sk_alloc_sg
2018-07-28 07:55:42 +02:00
unix
License cleanup: add SPDX license identifiers to some files
2017-11-02 10:04:46 -07:00
vmw_vsock
vsock: split dwork to avoid reinitializations
2018-08-22 07:46:08 +02:00
wimax
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
wireless
nl80211: Add a missing break in parse_station_flags
2018-09-05 09:26:24 +02:00
x25
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xfrm
xfrm: free skb if nlsk pointer is NULL
2018-09-05 09:26:23 +02:00
compat.c
net: support compat 64-bit time in {s,g}etsockopt
2018-05-19 10:20:24 +02:00
Kconfig
net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros.
2017-09-04 13:25:20 +02:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
socket.c
net: socket: fix potential spectre v1 gadget in socketcall
2018-08-06 16:20:48 +02:00
sysctl_net.c