From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sasha Levin <sasha.levin@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.10 27/62] rds: prevent dereference of a NULL device
Date: Mon, 13 Jan 2014 16:26:52 -0800 [thread overview]
Message-ID: <20140114002711.236683682@linuxfoundation.org> (raw)
In-Reply-To: <20140114002710.464561569@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
[ Upstream commit c2349758acf1874e4c2b93fe41d072336f1a31d0 ]
Binding might result in a NULL device, which is dereferenced
causing this BUG:
[ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097
4
[ 1317.261847] IP: [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
[ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0
[ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1317.264179] Dumping ftrace buffer:
[ 1317.264774] (ftrace buffer empty)
[ 1317.265220] Modules linked in:
[ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G W 3.13.0-rc4-
next-20131218-sasha-00013-g2cebb9b-dirty #4159
[ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000
[ 1317.268399] RIP: 0010:[<ffffffff84225f52>] [<ffffffff84225f52>] rds_ib_laddr_check+
0x82/0x110
[ 1317.269670] RSP: 0000:ffff8803cd31bdf8 EFLAGS: 00010246
[ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000
[ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286
[ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000
[ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031
[ 1317.270230] FS: 00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000
0000
[ 1317.270230] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0
[ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
[ 1317.270230] Stack:
[ 1317.270230] 0000000054086700 5408670000a25de0 5408670000000002 0000000000000000
[ 1317.270230] ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160
[ 1317.270230] ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280
[ 1317.270230] Call Trace:
[ 1317.270230] [<ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0
[ 1317.270230] [<ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0
[ 1317.270230] [<ffffffff8421c9c3>] rds_bind+0x73/0xf0
[ 1317.270230] [<ffffffff83e4ce62>] SYSC_bind+0x92/0xf0
[ 1317.270230] [<ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0
[ 1317.270230] [<ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10
[ 1317.270230] [<ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290
[ 1317.270230] [<ffffffff83e4cece>] SyS_bind+0xe/0x10
[ 1317.270230] [<ffffffff843a6ad0>] tracesys+0xdd/0xe2
[ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00
89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7
4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02
[ 1317.270230] RIP [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
[ 1317.270230] RSP <ffff8803cd31bdf8>
[ 1317.270230] CR2: 0000000000000974
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/ib.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -338,7 +338,8 @@ static int rds_ib_laddr_check(__be32 add
ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
/* due to this, we will claim to support iWARP devices unless we
check node_type. */
- if (ret || cm_id->device->node_type != RDMA_NODE_IB_CA)
+ if (ret || !cm_id->device ||
+ cm_id->device->node_type != RDMA_NODE_IB_CA)
ret = -EADDRNOTAVAIL;
rdsdebug("addr %pI4 ret %d node type %d\n",
next prev parent reply other threads:[~2014-01-14 0:57 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-14 0:26 [PATCH 3.10 00/62] 3.10.27-stable review Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 01/62] irqchip: renesas-irqc: Fix irqc_probe error handling Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 02/62] clocksource: em_sti: Set cpu_possible_mask to fix SMP broadcast Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 03/62] gpio-rcar: R-Car GPIO IRQ share interrupt Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 04/62] HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 05/62] IPv6: Fixed support for blackhole and prohibit routes Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 06/62] net: do not pretend FRAGLIST support Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 07/62] rds: prevent BUG_ON triggered on congestion update to loopback Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 08/62] macvtap: Do not double-count received packets Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 09/62] macvtap: update file current position Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 10/62] tun: " Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 11/62] macvtap: signal truncated packets Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 12/62] virtio: delete napi structures from netdev before releasing memory Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 13/62] packet: fix send path when running with proto == 0 Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 14/62] ipv6: dont count addrconf generated routes against gc limit Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 15/62] net: drop_monitor: fix the value of maxattr Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 16/62] net: unix: allow set_peek_off to fail Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 17/62] tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0 Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 18/62] netvsc: dont flush peers notifying work during setting mtu Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 19/62] ipv6: fix illegal mac_header comparison on 32bit Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 20/62] net: unix: allow bind to fail on mutex lock Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 22/62] net: inet_diag: zero out uninitialized idiag_{src,dst} fields Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 23/62] drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 25/62] net: fec: fix potential use after free Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 26/62] ipv6: always set the new created dsts from in ip6_rt_copy Greg Kroah-Hartman
2014-01-14 0:26 ` Greg Kroah-Hartman [this message]
2014-01-14 0:26 ` [PATCH 3.10 28/62] net: rose: restore old recvmsg behavior Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 29/62] vlan: Fix header ops passthru when doing TX VLAN offload Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 30/62] virtio_net: fix error handling for mergeable buffers Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 31/62] virtio-net: make all RX paths handle errors consistently Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 32/62] virtio_net: dont leak memory or block when too many frags Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 33/62] virtio-net: fix refill races during restore Greg Kroah-Hartman
2014-01-14 0:26 ` [PATCH 3.10 34/62] net: llc: fix use after free in llc_ui_recvmsg Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 35/62] netpoll: Fix missing TXQ unlock and and OOPS Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 36/62] bridge: use spin_lock_bh() in br_multicast_set_hash_max Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 37/62] net: Loosen constraints for recalculating checksum in skb_segment() Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 38/62] ARM: fix footbridge clockevent device Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 39/62] ARM: fix "bad mode in ... handler" message for undefined instructions Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 40/62] ARM: dts: exynos5250: Fix MDMA0 clock number Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 41/62] ARM: shmobile: kzm9g: Fix coherent DMA mask Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 42/62] ARM: shmobile: armadillo: " Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 43/62] ARM: shmobile: mackerel: " Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 45/62] parisc: Ensure full cache coherency for kmap/kunmap Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 46/62] ahci: add PCI ID for Marvell 88SE9170 SATA controller Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 47/62] clk: clk-divider: fix divisor > 255 bug Greg Kroah-Hartman
2014-01-14 0:27 ` Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 48/62] clk: samsung: exynos4: Correct SRC_MFC register Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 49/62] clk: samsung: exynos5250: Add CLK_IGNORE_UNUSED flag for the sysreg clock Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 50/62] clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 51/62] mfd: rtsx_pcr: Disable interrupts before cancelling delayed works Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 52/62] ACPI / TPM: fix memory leak when walking ACPI namespace Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 53/62] ACPI / Battery: Add a _BIX quirk for NEC LZ750/LS Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 54/62] mac80211: move "bufferable MMPDU" check to fix AP mode scan Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 55/62] intel_pstate: Add X86_FEATURE_APERFMPERF to cpu match parameters Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 56/62] SCSI: sd: Reduce buffer size for vpd request Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 57/62] netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 58/62] x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 59/62] sched: Fix race on toggling cfs_bandwidth_used Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 60/62] sched: Fix cfs_bandwidth misuse of hrtimer_expires_remaining Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 61/62] sched: Fix hrtimer_cancel()/rq->lock deadlock Greg Kroah-Hartman
2014-01-14 0:27 ` [PATCH 3.10 62/62] sched: Guarantee new group-entities always have weight Greg Kroah-Hartman
2014-01-14 3:02 ` [PATCH 3.10 00/62] 3.10.27-stable review Guenter Roeck
2014-01-14 23:12 ` Greg Kroah-Hartman
2014-01-14 19:30 ` Shuah Khan
2014-01-14 23:12 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140114002711.236683682@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.