From: lizf@kernel.org
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Sasha Levin <sasha.levin@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
Zefan Li <lizefan@huawei.com>
Subject: [PATCH 3.4 095/107] atm: deal with setting entry before mkip was called
Date: Wed, 16 Mar 2016 16:06:29 +0800 [thread overview]
Message-ID: <1458115601-5762-95-git-send-email-lizf@kernel.org> (raw)
In-Reply-To: <1458115541-5712-1-git-send-email-lizf@kernel.org>
From: Sasha Levin <sasha.levin@oracle.com>
3.4.111-rc1 review patch. If anyone has any objections, please let me know.
------------------
commit 34f5b0066435ffb793049b84fafd29fa195bcf90 upstream.
If we didn't call ATMARP_MKIP before ATMARP_ENCAP the VCC descriptor is
non-existant and we'll end up dereferencing a NULL ptr:
[1033173.491930] kasan: GPF could be caused by NULL-ptr deref or user memory accessirq event stamp: 123386
[1033173.493678] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[1033173.493689] Modules linked in:
[1033173.493697] CPU: 9 PID: 23815 Comm: trinity-c64 Not tainted 4.2.0-next-20150911-sasha-00043-g353d875-dirty #2545
[1033173.493706] task: ffff8800630c4000 ti: ffff880063110000 task.ti: ffff880063110000
[1033173.493823] RIP: clip_ioctl (net/atm/clip.c:320 net/atm/clip.c:689)
[1033173.493826] RSP: 0018:ffff880063117a88 EFLAGS: 00010203
[1033173.493828] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000000c
[1033173.493830] RDX: 0000000000000002 RSI: ffffffffb3f10720 RDI: 0000000000000014
[1033173.493832] RBP: ffff880063117b80 R08: ffff88047574d9a4 R09: 0000000000000000
[1033173.493834] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000c622f53
[1033173.493836] R13: ffff8800cb905500 R14: ffff8808d6da2000 R15: 00000000fffffdfd
[1033173.493840] FS: 00007fa56b92d700(0000) GS:ffff880478000000(0000) knlGS:0000000000000000
[1033173.493843] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[1033173.493845] CR2: 0000000000000000 CR3: 00000000630e8000 CR4: 00000000000006a0
[1033173.493855] Stack:
[1033173.493862] ffffffffb0b60444 000000000000eaea 0000000041b58ab3 ffffffffb3c3ce32
[1033173.493867] ffffffffb0b6f3e0 ffffffffb0b60444 ffffffffb5ea2e50 1ffff1000c622f5e
[1033173.493873] ffff8800630c4cd8 00000000000ee09a ffffffffb3ec4888 ffffffffb5ea2de8
[1033173.493874] Call Trace:
[1033173.494108] do_vcc_ioctl (net/atm/ioctl.c:170)
[1033173.494113] vcc_ioctl (net/atm/ioctl.c:189)
[1033173.494116] svc_ioctl (net/atm/svc.c:605)
[1033173.494200] sock_do_ioctl (net/socket.c:874)
[1033173.494204] sock_ioctl (net/socket.c:958)
[1033173.494244] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[1033173.494290] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[1033173.494295] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
[1033173.494362] Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 50 09 00 00 49 8b 9e 60 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 14 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 14 09 00
All code
========
0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 0f 85 50 09 00 00 jne 0x95f
f: 49 8b 9e 60 06 00 00 mov 0x660(%r14),%rbx
16: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1d: fc ff df
20: 48 8d 7b 14 lea 0x14(%rbx),%rdi
24: 48 89 fa mov %rdi,%rdx
27: 48 c1 ea 03 shr $0x3,%rdx
2b:* 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2f: 48 89 fa mov %rdi,%rdx
32: 83 e2 07 and $0x7,%edx
35: 38 d0 cmp %dl,%al
37: 7f 08 jg 0x41
39: 84 c0 test %al,%al
3b: 0f 85 14 09 00 00 jne 0x955
Code starting with the faulting instruction
===========================================
0: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
4: 48 89 fa mov %rdi,%rdx
7: 83 e2 07 and $0x7,%edx
a: 38 d0 cmp %dl,%al
c: 7f 08 jg 0x16
e: 84 c0 test %al,%al
10: 0f 85 14 09 00 00 jne 0x92a
[1033173.494366] RIP clip_ioctl (net/atm/clip.c:320 net/atm/clip.c:689)
[1033173.494368] RSP <ffff880063117a88>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Zefan Li <lizefan@huawei.com>
---
net/atm/clip.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/atm/clip.c b/net/atm/clip.c
index 8ae3a78..e55e664 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -317,6 +317,9 @@ static int clip_constructor(struct neighbour *neigh)
static int clip_encap(struct atm_vcc *vcc, int mode)
{
+ if (!CLIP_VCC(vcc))
+ return -EBADFD;
+
CLIP_VCC(vcc)->encap = mode;
return 0;
}
--
1.9.1
next prev parent reply other threads:[~2016-03-16 8:13 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-16 8:05 [PATCH 3.4 000/107] 3.4.111-rc1 review lizf
2016-03-16 8:04 ` [PATCH 3.4 001/107] Btrfs: use kmem_cache_free when freeing entry in inode cache lizf
2016-03-16 8:04 ` [PATCH 3.4 002/107] fs/buffer.c: support buffer cache allocations with gfp modifiers lizf
2016-03-16 8:04 ` [PATCH 3.4 003/107] bufferhead: Add _gfp version for sb_getblk() lizf
2016-03-16 8:04 ` [PATCH 3.4 004/107] ext4: avoid deadlocks in the writeback path by using sb_getblk_gfp lizf
2016-03-16 8:04 ` [PATCH 3.4 005/107] ext4: replace open coded nofail allocation in ext4_free_blocks() lizf
2016-03-16 8:05 ` [PATCH 3.4 006/107] mm: avoid setting up anonymous pages into file mapping lizf
2016-03-16 8:05 ` [PATCH 3.4 007/107] hpfs: kstrdup() out of memory handling lizf
2016-03-16 8:05 ` [PATCH 3.4 008/107] hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead lizf
2016-03-16 8:05 ` [PATCH 3.4 009/107] 9p: don't leave a half-initialized inode sitting around lizf
2016-03-16 8:05 ` [PATCH 3.4 010/107] ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4 lizf
2016-03-16 8:05 ` [PATCH 3.4 011/107] dm btree remove: fix bug in redistribute3 lizf
2016-03-16 8:05 ` [PATCH 3.4 012/107] dm thin: allocate the cell_sort_array dynamically lizf
2016-03-16 8:05 ` [PATCH 3.4 013/107] USB: option: add 2020:4000 ID lizf
2016-03-16 8:05 ` [PATCH 3.4 014/107] USB: cp210x: add ID for Aruba Networks controllers lizf
2016-03-16 8:05 ` [PATCH 3.4 015/107] dm btree: silence lockdep lock inversion in dm_btree_del() lizf
2016-03-16 8:05 ` [PATCH 3.4 016/107] s390/sclp: clear upper register halves in _sclp_print_early lizf
2016-03-16 8:05 ` [PATCH 3.4 017/107] drm: add a check for x/y in drm_mode_setcrtc lizf
2016-03-16 8:05 ` [PATCH 3.4 018/107] rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver lizf
2016-03-16 8:05 ` [PATCH 3.4 019/107] net: do not process device backlog during unregistration lizf
2016-03-16 8:05 ` [PATCH 3.4 020/107] net: call rcu_read_lock early in process_backlog lizf
2016-03-16 8:05 ` [PATCH 3.4 021/107] s390/process: fix sfpc inline assembly lizf
2016-03-16 8:05 ` [PATCH 3.4 022/107] rds: rds_ib_device.refcount overflow lizf
2016-03-16 8:05 ` [PATCH 3.4 023/107] st: null pointer dereference panic caused by use after kref_put by st_open lizf
2016-03-16 8:05 ` [PATCH 3.4 024/107] ata: pmp: add quirk for Marvell 4140 SATA PMP lizf
2016-03-16 8:05 ` [PATCH 3.4 025/107] libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER lizf
2016-03-16 8:05 ` [PATCH 3.4 026/107] libata: add ATA_HORKAGE_NOTRIM lizf
2016-03-16 8:05 ` [PATCH 3.4 027/107] libata: force disable trim for SuperSSpeed S238 lizf
2016-03-16 8:05 ` [PATCH 3.4 028/107] libata: increase the timeout when setting transfer mode lizf
2016-03-16 8:05 ` [PATCH 3.4 029/107] net: Clone skb before setting peeked flag lizf
2016-03-16 8:05 ` [PATCH 3.4 030/107] NET: AX.25: Stop heartbeat timer on disconnect lizf
2016-03-16 10:40 ` Richard Stearn
2016-03-17 1:18 ` Zefan Li
2016-03-16 8:05 ` [PATCH 3.4 031/107] can: mcp251x: fix resume when device is down lizf
2016-03-16 8:05 ` [PATCH 3.4 032/107] mac80211: clear subdir_stations when removing debugfs lizf
2016-03-16 8:05 ` [PATCH 3.4 033/107] inet: frags: fix defragmented packet's IP header for af_packet lizf
2016-03-16 8:05 ` [PATCH 3.4 034/107] md: make sure everything is freed when dm-raid stops an array lizf
2016-03-16 8:05 ` [PATCH 3.4 035/107] md: flush ->event_work before stopping array lizf
2016-03-16 8:05 ` [PATCH 3.4 036/107] usb: dwc3: Reset the transfer resource index on SET_INTERFACE lizf
2016-03-16 8:05 ` [PATCH 3.4 037/107] usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function lizf
2016-03-16 8:05 ` [PATCH 3.4 038/107] xhci: Calculate old endpoints correctly on device reset lizf
2016-03-16 8:05 ` [PATCH 3.4 039/107] xhci: report U3 when link is in resume state lizf
2016-03-16 8:05 ` [PATCH 3.4 040/107] xhci: prevent bus_suspend if SS port resuming in phase 1 lizf
2016-03-16 8:05 ` [PATCH 3.4 041/107] usb-storage: ignore ZTE MF 823 card reader in mode 0x1225 lizf
2016-03-16 8:05 ` [PATCH 3.4 042/107] tile: use free_bootmem_late() for initrd lizf
2016-03-16 8:05 ` [PATCH 3.4 043/107] Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen lizf
2016-03-16 8:05 ` [PATCH 3.4 044/107] md/raid1: fix test for 'was read error from last working device' lizf
2016-03-16 8:05 ` [PATCH 3.4 045/107] mmc: block: Add missing mmc_blk_put() in power_ro_lock_show() lizf
2016-03-16 8:05 ` [PATCH 3.4 046/107] netfilter: nf_conntrack: Support expectations in different zones lizf
2016-03-16 8:05 ` [PATCH 3.4 047/107] crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer lizf
2016-03-16 8:05 ` [PATCH 3.4 048/107] iscsi-target: Fix use-after-free during TPG session shutdown lizf
2016-03-16 8:05 ` [PATCH 3.4 049/107] niu: don't count tx error twice in case of headroom realloc fails lizf
2016-03-16 8:05 ` [PATCH 3.4 050/107] vhost: actually track log eventfd file lizf
2016-03-16 8:05 ` [PATCH 3.4 051/107] USB: sierra: add 1199:68AB device ID lizf
2016-03-16 8:05 ` [PATCH 3.4 052/107] ALSA: usb-audio: add dB range mapping for some devices lizf
2016-03-16 8:05 ` [PATCH 3.4 053/107] drm/radeon/combios: add some validation of lvds values lizf
2016-03-16 8:05 ` [PATCH 3.4 054/107] target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT lizf
2016-03-16 8:05 ` [PATCH 3.4 055/107] x86/xen: Probe target addresses in set_aliased_prot() before the hypercall lizf
2016-03-16 8:05 ` [PATCH 3.4 056/107] x86/ldt: Make modify_ldt synchronous lizf
2016-03-16 8:05 ` [PATCH 3.4 057/107] md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies lizf
2016-03-16 8:05 ` [PATCH 3.4 058/107] MIPS: Fix sched_getaffinity with MT FPAFF enabled lizf
2016-03-16 8:05 ` [PATCH 3.4 059/107] xhci: fix off by one error in TRB DMA address boundary check lizf
2016-03-16 8:05 ` [PATCH 3.4 060/107] rds: fix an integer overflow test in rds_info_getsockopt() lizf
2016-03-16 8:05 ` [PATCH 3.4 061/107] perf: Fix fasync handling on inherited events lizf
2016-03-16 8:05 ` [PATCH 3.4 062/107] MIPS: Make set_pte() SMP safe lizf
2016-03-16 8:05 ` [PATCH 3.4 063/107] ocfs2: fix BUG in ocfs2_downconvert_thread_do_work() lizf
2016-03-16 8:05 ` [PATCH 3.4 064/107] x86/ldt: Correct LDT access in single stepping logic lizf
2016-03-16 8:05 ` [PATCH 3.4 065/107] x86/ldt: Correct FPU emulation access to LDT lizf
2016-03-16 8:06 ` [PATCH 3.4 066/107] localmodconfig: Use Kbuild files too lizf
2016-03-16 8:06 ` [PATCH 3.4 067/107] dm btree: add ref counting ops for the leaves of top level btrees lizf
2016-03-16 8:06 ` [PATCH 3.4 068/107] libiscsi: Fix host busy blocking during connection teardown lizf
2016-03-16 8:06 ` [PATCH 3.4 069/107] libfc: Fix fc_fcp_cleanup_each_cmd() lizf
2016-03-16 8:06 ` [PATCH 3.4 070/107] EDAC, ppc4xx: Access mci->csrows array elements properly lizf
2016-03-16 8:06 ` [PATCH 3.4 071/107] ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits lizf
2016-03-16 8:06 ` [PATCH 3.4 072/107] net: Fix RCU splat in af_key lizf
2016-03-16 8:06 ` [PATCH 3.4 073/107] sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state lizf
2016-03-16 8:06 ` [PATCH 3.4 074/107] Revert "usb: dwc3: Reset the transfer resource index on SET_INTERFACE" lizf
2016-03-16 8:06 ` [PATCH 3.4 075/107] unix: avoid use-after-free in ep_remove_wait_queue lizf
2016-03-16 8:06 ` [PATCH 3.4 076/107] pptp: verify sockaddr_len in pptp_bind() and pptp_connect() lizf
2016-03-16 8:06 ` [PATCH 3.4 077/107] net: add validation for the socket syscall protocol argument lizf
2016-03-16 8:06 ` [PATCH 3.4 078/107] RDS: verify the underlying transport exists before creating a connection lizf
2016-03-16 8:06 ` [PATCH 3.4 079/107] RDS: fix race condition when sending a message on unbound socket lizf
2016-03-16 8:06 ` [PATCH 3.4 080/107] sg_start_req(): make sure that there's not too many elements in iovec lizf
2016-03-16 8:06 ` [PATCH 3.4 081/107] virtio-net: drop NETIF_F_FRAGLIST lizf
2016-03-16 8:06 ` [PATCH 3.4 082/107] isdn_ppp: Add checks for allocation failure in isdn_ppp_open() lizf
2016-03-16 8:06 ` [PATCH 3.4 083/107] ppp, slip: Validate VJ compression slot parameters completely lizf
2016-03-16 8:06 ` [PATCH 3.4 084/107] USB: whiteheat: fix potential null-deref at probe lizf
2016-03-16 8:06 ` [PATCH 3.4 085/107] KEYS: Fix race between key destruction and finding a keyring by name lizf
2016-03-16 8:06 ` [PATCH 3.4 086/107] KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring lizf
2016-03-16 8:06 ` [PATCH 3.4 087/107] ipv6: addrconf: validate new MTU before applying it lizf
2016-03-16 8:06 ` [PATCH 3.4 088/107] KVM: x86: work around infinite loop in microcode when #AC is delivered lizf
2016-03-16 8:06 ` [PATCH 3.4 089/107] KVM: svm: unconditionally intercept #DB lizf
2016-03-16 8:06 ` [PATCH 3.4 090/107] get rid of s_files and files_lock lizf
2016-03-16 8:06 ` [PATCH 3.4 091/107] Initialize msg/shm IPC objects before doing ipc_addid() lizf
2016-03-16 8:06 ` [PATCH 3.4 092/107] net: avoid to hang up on sending due to sysctl configuration overflow lizf
2016-03-16 8:06 ` [PATCH 3.4 093/107] ipv6: probe routes asynchronous in rt6_probe lizf
2016-03-16 8:06 ` [PATCH 3.4 094/107] netfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get lizf
2016-03-16 8:06 ` lizf [this message]
2016-03-16 8:06 ` [PATCH 3.4 096/107] SUNRPC: never enqueue a ->rq_cong request on ->sending lizf
2016-03-16 8:06 ` [PATCH 3.4 097/107] ipv6: prevent fib6_run_gc() contention lizf
2016-03-16 8:06 ` [PATCH 3.4 098/107] kernel/watchdog.c: touch_nmi_watchdog should only touch local cpu not every one lizf
2016-03-16 14:09 ` Don Zickus
2016-03-17 1:20 ` Zefan Li
2016-03-16 8:06 ` [PATCH 3.4 099/107] net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration lizf
2016-03-16 8:06 ` [PATCH 3.4 100/107] af_unix: Guard against other == sk in unix_dgram_sendmsg lizf
2016-03-16 8:06 ` [PATCH 3.4 101/107] x86/LDT: Print the real LDT base address lizf
2016-03-16 8:06 ` [PATCH 3.4 102/107] ALSA: tlv: compute TLV_*_ITEM lengths automatically lizf
2016-03-16 8:06 ` [PATCH 3.4 103/107] ALSA: tlv: add DECLARE_TLV_DB_RANGE() lizf
2016-03-16 8:06 ` [PATCH 3.4 104/107] ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly lizf
2016-03-16 8:06 ` [PATCH 3.4 105/107] usb: dwc3: Fix assignment of EP transfer resources lizf
2016-03-16 8:06 ` [PATCH 3.4 106/107] dm btree remove: fix a bug when rebalancing nodes after removal lizf
2016-03-16 8:06 ` [PATCH 3.4 107/107] KVM: x86: move steal time initialization to vcpu entry time lizf
2016-03-16 17:51 ` [PATCH 3.4 000/107] 3.4.111-rc1 review Guenter Roeck
2016-03-17 1:21 ` Zefan Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458115601-5762-95-git-send-email-lizf@kernel.org \
--to=lizf@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox