On Wed, Jun 14, 2017 at 11:37:14AM -0700, Dave Watson wrote:
>Add the infrustructure for attaching Upper Layer Protocols (ULPs) over TCP
>sockets. Based on a similar infrastructure in tcp_cong. The idea is that any
>ULP can add its own logic by changing the TCP proto_ops structure to its own
>methods.
>
>Example usage:
>
>setsockopt(sock, SOL_TCP, TCP_ULP, "tls", sizeof("tls"));
>
>modules will call:
>tcp_register_ulp(_tls_ulp_ops);
>
>to register/unregister their ulp, with an init function and name.
>
>A list of registered ulps will be returned by tcp_get_available_ulp, which is
>hooked up to /proc. Example:
>
>$ cat /proc/sys/net/ipv4/tcp_available_ulp
>tls
>
>There is currently no functionality to remove or chain ULPs, but
>it should be possible to add these in the future if needed.
>
>Signed-off-by: Boris Pismenny
>Signed-off-by: Dave Watson
Hey Dave,
I'm seeing the following while fuzzing, which was bisected to this commit:
==
BUG: KASAN: null-ptr-deref in copy_to_user include/linux/uaccess.h:168 [inline]
BUG: KASAN: null-ptr-deref in do_tcp_getsockopt.isra.33+0x24f/0x1e30
net/ipv4/tcp.c:3057
Read of size 4 at addr 0020 by task syz-executor1/15452
CPU: 0 PID: 15452 Comm: syz-executor1 Not tainted 4.12.0-rc6-next-20170623+ #173
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1
04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x11d/0x1e5 lib/dump_stack.c:52
kasan_report_error mm/kasan/report.c:349 [inline]
kasan_report+0x15e/0x370 mm/kasan/report.c:408
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x14b/0x1a0 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
copy_to_user include/linux/uaccess.h:168 [inline]
do_tcp_getsockopt.isra.33+0x24f/0x1e30 net/ipv4/tcp.c:3057
tcp_getsockopt+0xb0/0xd0 net/ipv4/tcp.c:3194
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2863
SYSC_getsockopt net/socket.c:1869 [inline]
SyS_getsockopt+0x180/0x360 net/socket.c:1851
do_syscall_64+0x267/0x740 arch/x86/entry/common.c:284
entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x451759
RSP: 002b:7f5dc2b1fc08 EFLAGS: 0216 ORIG_RAX: 0037
RAX: ffda RBX: 00718000 RCX: 00451759
RDX: 001f RSI: 0006 RDI: 0005
RBP: 0c30 R08: 207bf000 R09:
R10: 2ffc R11: 0216 R12: 004b824b
R13: R14: 0005 R15: 0006
==
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 15452 Comm: syz-executor1 Tainted: GB
4.12.0-rc6-next-20170623+ #173
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1
04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x11d/0x1e5 lib/dump_stack.c:52
panic+0x1bc/0x3ad kernel/panic.c:180
kasan_end_report+0x47/0x4f mm/kasan/report.c:176
kasan_report_error mm/kasan/report.c:356 [inline]
kasan_report+0x167/0x370 mm/kasan/report.c:408
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x14b/0x1a0 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
copy_to_user include/linux/uaccess.h:168 [inline]
do_tcp_getsockopt.isra.33+0x24f/0x1e30 net/ipv4/tcp.c:3057
tcp_getsockopt+0xb0/0xd0 net/ipv4/tcp.c:3194
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2863
SYSC_getsockopt net/socket.c:1869 [inline]
SyS_getsockopt+0x180/0x360 net/socket.c:1851
do_syscall_64+0x267/0x740 arch/x86/entry/common.c:284
entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x451759
RSP: 002b:7f5dc2b1fc08 EFLAGS: 0216 ORIG_RAX: 0037
RAX: ffda RBX: 00718000 RCX: 00451759
RDX: 001f RSI: 0006 RDI: 0005
RBP: 0c30 R08: 207bf000 R09:
R10: 2ffc R11: 0216 R12: 004b824b
R13: R14: 0005 R15: 0006
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: 0x2480 from 0x8100 (relocation range:
0x8000-0xbfff)
Rebooting in 86400 seconds..
--
Thanks,
Sasha