Skip to content

Commit 769f696

Browse files
PlaidCatPlaidCat
committed
rxrpc: Fix oops from calling udpv6_sendmsg() on AF_INET socket
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-284.30.1.el9_2 commit-author David Howells <[email protected]> commit 6423ac2 If rxrpc sees an IPv6 address, it assumes it can call udpv6_sendmsg() on it - even if it got it on an IPv4 socket. Fix do_udp_sendmsg() to give an error in such a case. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] ... RIP: 0010:ipv6_addr_v4mapped include/net/ipv6.h:749 [inline] RIP: 0010:udpv6_sendmsg+0xd0a/0x2c70 net/ipv6/udp.c:1361 ... Call Trace: do_udp_sendmsg net/rxrpc/output.c:27 [inline] do_udp_sendmsg net/rxrpc/output.c:21 [inline] rxrpc_send_abort_packet+0x73b/0x860 net/rxrpc/output.c:367 rxrpc_release_calls_on_socket+0x211/0x300 net/rxrpc/call_object.c:595 rxrpc_release_sock net/rxrpc/af_rxrpc.c:886 [inline] rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:917 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x18/0x20 net/socket.c:1365 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16b/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb35/0x2a20 kernel/exit.c:820 do_group_exit+0xd0/0x2a0 kernel/exit.c:950 __do_sys_exit_group kernel/exit.c:961 [inline] __se_sys_exit_group kernel/exit.c:959 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:959 Fixes: ed472b0 ("rxrpc: Call udp_sendmsg() directly") Reported-by: Eric Dumazet <[email protected]> Suggested-by: Eric Dumazet <[email protected]> Signed-off-by: David Howells <[email protected]> cc: Marc Dionne <[email protected]> cc: [email protected] (cherry picked from commit 6423ac2) Signed-off-by: Jonathan Maple <[email protected]>
1 parent 06149fc commit 769f696

File tree

1 file changed

+12
-6
lines changed

1 file changed

+12
-6
lines changed

net/rxrpc/output.c

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,21 @@
1818

1919
extern int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
2020

21-
static ssize_t do_udp_sendmsg(struct socket *sk, struct msghdr *msg, size_t len)
21+
static ssize_t do_udp_sendmsg(struct socket *socket, struct msghdr *msg, size_t len)
2222
{
23-
#if IS_ENABLED(CONFIG_AF_RXRPC_IPV6)
2423
struct sockaddr *sa = msg->msg_name;
24+
struct sock *sk = socket->sk;
2525

26-
if (sa->sa_family == AF_INET6)
27-
return udpv6_sendmsg(sk->sk, msg, len);
28-
#endif
29-
return udp_sendmsg(sk->sk, msg, len);
26+
if (IS_ENABLED(CONFIG_AF_RXRPC_IPV6)) {
27+
if (sa->sa_family == AF_INET6) {
28+
if (sk->sk_family != AF_INET6) {
29+
pr_warn("AF_INET6 address on AF_INET socket\n");
30+
return -ENOPROTOOPT;
31+
}
32+
return udpv6_sendmsg(sk, msg, len);
33+
}
34+
}
35+
return udp_sendmsg(sk, msg, len);
3036
}
3137

3238
struct rxrpc_abort_buffer {

0 commit comments

Comments
 (0)