From patchwork Tue Sep 1 15:08:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 264544 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1472C43461 for ; Tue, 1 Sep 2020 16:44:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 74EE72067C for ; Tue, 1 Sep 2020 16:44:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598978650; bh=PqrMqbBH0Z4mgkBMY6zCc7uImtlAmTC0nFywzlrEX6A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=BsLQ78rIpVFJBfld0Hk40/g/RCO8mgzNuFRClF9NTA7MDHnrAB4wgLDzvYD1OlVkw nymI1Two1/dscErgHljycbSP8ISzsB2sNYBn8NQuz9Q9RqdA7P6bR7/LLZpjnqbZlY maja8B+nuErTNjjeBRdzHYLB9o78OTnAEJh8ehDc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730281AbgIAQoH (ORCPT ); Tue, 1 Sep 2020 12:44:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:55100 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730259AbgIAP1n (ORCPT ); Tue, 1 Sep 2020 11:27:43 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9CE72206FA; Tue, 1 Sep 2020 15:27:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598974063; bh=PqrMqbBH0Z4mgkBMY6zCc7uImtlAmTC0nFywzlrEX6A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1bbpehUXpj7vHZa0Nfy63ArP5NUGnzOchiXTQWbtUcdkl9Dk34vwBHm+c2Fw2RNMO ZOmXkFZkRA1Fq8GbldT94WdmlmvvteTk8G8q4Wq+eMGp9AerOopYxXggaA+2ZBrt9o kqwheu0h1G/RuMcjVueFNzOVrrV8aoaNf6GXTW+E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com, Necip Fazil Yildiran , Dmitry Vyukov , "David S. Miller" Subject: [PATCH 5.4 006/214] net: qrtr: fix usage of idr in port assignment to socket Date: Tue, 1 Sep 2020 17:08:06 +0200 Message-Id: <20200901150953.254936782@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200901150952.963606936@linuxfoundation.org> References: <20200901150952.963606936@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Necip Fazil Yildiran [ Upstream commit 8dfddfb79653df7c38a9c8c4c034f242a36acee9 ] Passing large uint32 sockaddr_qrtr.port numbers for port allocation triggers a warning within idr_alloc() since the port number is cast to int, and thus interpreted as a negative number. This leads to the rejection of such valid port numbers in qrtr_port_assign() as idr_alloc() fails. To avoid the problem, switch to idr_alloc_u32() instead. Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") Reported-by: syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com Signed-off-by: Necip Fazil Yildiran Reviewed-by: Dmitry Vyukov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/qrtr/qrtr.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -547,23 +547,25 @@ static void qrtr_port_remove(struct qrtr */ static int qrtr_port_assign(struct qrtr_sock *ipc, int *port) { + u32 min_port; int rc; mutex_lock(&qrtr_port_lock); if (!*port) { - rc = idr_alloc(&qrtr_ports, ipc, - QRTR_MIN_EPH_SOCKET, QRTR_MAX_EPH_SOCKET + 1, - GFP_ATOMIC); - if (rc >= 0) - *port = rc; + min_port = QRTR_MIN_EPH_SOCKET; + rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, QRTR_MAX_EPH_SOCKET, GFP_ATOMIC); + if (!rc) + *port = min_port; } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) { rc = -EACCES; } else if (*port == QRTR_PORT_CTRL) { - rc = idr_alloc(&qrtr_ports, ipc, 0, 1, GFP_ATOMIC); + min_port = 0; + rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, 0, GFP_ATOMIC); } else { - rc = idr_alloc(&qrtr_ports, ipc, *port, *port + 1, GFP_ATOMIC); - if (rc >= 0) - *port = rc; + min_port = *port; + rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, *port, GFP_ATOMIC); + if (!rc) + *port = min_port; } mutex_unlock(&qrtr_port_lock);