• Junling Zheng's avatar
    net: socket: Fix the wrong returns for recvmsg and sendmsg · af0cc4dc
    Junling Zheng authored
    Based on 08adb7da upstream.
    
    We found that after v3.10.73, recvmsg might return -EFAULT while -EINVAL
    was expected.
    
    We tested it through the recvmsg01 testcase come from LTP testsuit. It set
    msg->msg_namelen to -1 and the recvmsg syscall returned errno 14, which is
    unexpected (errno 22 is expected):
    
    recvmsg01    4  TFAIL  :  invalid socket length ; returned -1 (expected -1),
    errno 14 (expected 22)
    
    Linux mainline has no this bug for commit 08adb7da fixes it accidentally.
    However, it is too large and complex to be backported to LTS 3.10.
    
    Commit 281c9c36 (net: compat: Update get_compat_msghdr() to match
    copy_msghdr_from_user() behaviour) made get_compat_msghdr() return
    error if msg_sys->msg_namelen was negative, which changed the behaviors
    of recvmsg and sendmsg syscall in a lib32 system:
    
    Before commit 281c9c36, get_compat_msghdr() wouldn't fail and it would
    return -EINVAL in move_addr_to_user() or somewhere if msg_sys->msg_namelen
    was invalid and then syscall returned -EINVAL, which is correct.
    
    And now, when msg_sys->msg_namelen is negative, get_compat_msghdr() will
    fail and wants to return -EINVAL, however, the outer syscall will return
    -EFAULT directly, which is unexpected.
    
    This patch gets the return value of get_compat_msghdr() as well as
    copy_msghdr_from_user(), then returns this expected value if
    get_compat_msghdr() fails.
    
    Fixes: 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour)
    Signed-off-by: default avatarJunling Zheng <zhengjunling@huawei.com>
    Signed-off-by: default avatarHanbing Xu <xuhanbing@huawei.com>
    Cc: Li Zefan <lizefan@huawei.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: David Miller <davem@davemloft.net>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    af0cc4dc
socket.c 84.1 KB