[PATCH 4.1 22/95] RDS: verify the underlying transport exists before creating a connection

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	Sasha Levin <sasha.levin@oracle.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.1 22/95] RDS: verify the underlying transport exists before creating a connection
Date: Mon,  7 Dec 2015 09:35:16 -0500	[thread overview]
Message-ID: <20151207142740.420797070@linuxfoundation.org> (raw)
In-Reply-To: <20151207142739.317088107@linuxfoundation.org>

4.1-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sasha Levin <sasha.levin@oracle.com>

[ Upstream commit 74e98eb085889b0d2d4908f59f6e00026063014f ]

There was no verification that an underlying transport exists when creating
a connection, this would cause dereferencing a NULL ptr.

It might happen on sockets that weren't properly bound before attempting to
send a message, which will cause a NULL ptr deref:

[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[135546.051270] Modules linked in:
[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
[135546.055666] RSP: 0018:ffff8800bc70fab0  EFLAGS: 00010202
[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
[135546.061668] FS:  00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
[135546.062836] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
[135546.064723] Stack:
[135546.065048]  ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
[135546.066247]  0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
[135546.067438]  1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
[135546.068629] Call Trace:
[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
[135546.071981] rds_sendmsg (net/rds/send.c:1058)
[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
[135546.076349] ? __might_fault (mm/memory.c:3795)
[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
[135546.078856] SYSC_sendto (net/socket.c:1657)
[135546.079596] ? SYSC_connect (net/socket.c:1628)
[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1

Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rds/connection.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -187,6 +187,12 @@ new_conn:
 		}
 	}
 
+	if (trans == NULL) {
+		kmem_cache_free(rds_conn_slab, conn);
+		conn = ERR_PTR(-ENODEV);
+		goto out;
+	}
+
 	conn->c_trans = trans;
 
 	ret = trans->conn_alloc(conn, gfp);

next prev parent reply	other threads:[~2015-12-07 14:36 UTC|newest]

Thread overview: 90+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-07 14:34 [PATCH 4.1 00/95] 4.1.14-stable review Greg Kroah-Hartman
2015-12-07 14:34 ` [PATCH 4.1 02/95] tipc: allow non-linear first fragment buffer Greg Kroah-Hartman
2015-12-07 14:34 ` [PATCH 4.1 04/95] macvtap: unbreak receiving of gro skb with frag list Greg Kroah-Hartman
2015-12-07 14:34 ` [PATCH 4.1 05/95] ppp: fix pppoe_dev deletion condition in pppoe_release() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 06/95] ipv6: gre: support SIT encapsulation Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 07/95] fib_trie: leaf_walk_rcu should not compute key if key is less than pn->key Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 08/95] RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 09/95] net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 10/95] tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 11/95] stmmac: Correctly report PTP capabilities Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 12/95] ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 14/95] sit: fix sit0 percpu double allocations Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 15/95] sfc: push partner queue for skb->xmit_more Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 16/95] net: avoid NULL deref in inet_ctl_sock_destroy() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 17/95] ipv6: clean up dev_snmp6 proc entry when we fail to initialize inet6_dev Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 18/95] ipv4: disable BH when changing ip local port range Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 19/95] packet: race condition in packet_bind Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 20/95] net: fix a race in dst_release() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 21/95] virtio-net: drop NETIF_F_FRAGLIST Greg Kroah-Hartman
2015-12-07 14:35 ` Greg Kroah-Hartman [this message]
2015-12-07 14:35 ` [PATCH 4.1 23/95] ARM: 8426/1: dma-mapping: add missing range check in dma_mmap() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 24/95] ARM: 8427/1: dma-mapping: add support for offset parameter " Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 25/95] ARM: common: edma: Fix channel parameter for irq callbacks Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 26/95] ARM: dts: imx27.dtsi: change the clock information for usb Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 27/95] ARM: tegra: paz00: use con_ids to refer GPIOs in gpiod_lookup table Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 28/95] ARM: at91/dt: corrections to i2c1 declaration to sama5d4 Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 29/95] ARM: at91: pm: at91_pm_suspend_in_sram() must be 8-byte aligned Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 30/95] ARM: dts: Fix WLAN regression on omap5-uevm Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 31/95] ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 32/95] MIPS: lantiq: add clk_round_rate() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 33/95] MIPS: KVM: Fix ASID restoration logic Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 34/95] MIPS: KVM: Fix CACHE immediate offset sign extension Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 35/95] MIPS: KVM: Uninit VCPU in vcpu_create error path Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 37/95] KVM: x86: work around infinite loop in microcode when #AC is delivered Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 38/95] x86/setup: Extend low identity map to cover whole kernel range Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 39/95] x86/setup: Fix low identity map for >= 2GB " Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 40/95] x86/cpu: Call verify_cpu() after having entered long mode too Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 41/95] x86/cpu: Fix SMAP check in PVOPS environments Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 42/95] mac80211: Fix local deauth while associating Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 43/95] mac80211: fix driver RSSI event calculations Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 44/95] mac80211: allow null chandef in tracing Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 45/95] mac80211: fix divide by zero when NOA update Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 46/95] nl80211: Fix potential memory leak from parse_acl_data Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 47/95] NFC: nci: Fix incorrect data chaining when sending data Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 48/95] NFC: nci: Fix improper management of HCI return code Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 49/95] NFC: nci: extract pipe value using NCI_HCP_MSG_GET_PIPE Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 50/95] iwlwifi: pcie: fix (again) prepare card flow Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 51/95] iwlwifi: Add new PCI IDs for the 8260 series Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 52/95] net: mvneta: Fix CPU_MAP registers initialisation Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 53/95] fs/proc, core/debug: Dont expose absolute kernel addresses via wchan Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 54/95] clk: versatile-icst: fix memory leak Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 55/95] mfd: twl6040: Fix deferred probe handling for clk32k Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 56/95] mwifiex: fix mwifiex_rdeeprom_read() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 57/95] staging: rtl8712: Add device ID for Sitecom WLA2100 Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 58/95] Bluetooth: hidp: fix device disconnect on idle timeout Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 59/95] Bluetooth: ath3k: Add new AR3012 0930:021c id Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 60/95] Bluetooth: ath3k: Add support of AR3012 0cf3:817b device Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 61/95] Bluetooth: Fix removing connection parameters when unpairing Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 62/95] can: Use correct type in sizeof() in nla_put() Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 63/95] can: sja1000: clear interrupts on start Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 64/95] arm64: Fix compat register mappings Greg Kroah-Hartman
2015-12-07 14:35 ` [PATCH 4.1 65/95] arm64: page-align sections for DEBUG_RODATA Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 66/95] ath10k: fix invalid NSS for 4x4 devices Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 67/95] KVM: s390: SCA must not cross page boundaries Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 68/95] KVM: s390: fix wrong lookup of VCPUs by array index Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 69/95] KVM: s390: avoid memory overwrites on emergency signal injection Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 71/95] usb: gadget: atmel_usba_udc: Expose correct device speed Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 72/95] usb: dwc3: gadget: let us set lower max_speed Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 73/95] usb: chipidea: otg: gadget module load and unload support Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 74/95] usb: dwc3: pci: Add the Synopsys HAPS AXI Product ID Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 75/95] usb: dwc3: pci: Add the PCI Product ID for Synopsys USB 3.1 Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 76/95] usb: dwc3: Support Synopsys USB 3.1 IP Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 77/95] usb: dwc3: pci: Add platform data for Synopsys HAPS Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 78/95] usb: chipidea: imx: refine clock operations to adapt for all platforms Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 79/95] ALSA: usb: Add native DSD support for Aune X1S Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 80/95] usb: ehci-orion: fix probe for !GENERIC_PHY Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 81/95] usblp: do not set TASK_INTERRUPTIBLE before lock Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 85/95] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 88/95] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 89/95] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 90/95] ALSA: usb-audio: work around CH345 input " Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 92/95] tty: Fix tty_send_xchar() lock order inversion Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 93/95] xhci: Workaround to get Intel xHCI reset working more reliably Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 94/95] staging/lustre: use jiffies for lp_last_query times Greg Kroah-Hartman
2015-12-07 14:36 ` [PATCH 4.1 95/95] KVM: s390: enable SIMD only when no VCPUs were created Greg Kroah-Hartman
2015-12-07 17:18 ` [PATCH 4.1 00/95] 4.1.14-stable review Shuah Khan
     [not found] ` <20151207142739.500311914@linuxfoundation.org>
2015-12-07 17:21   ` [PATCH 4.1 03/95] qmi_wwan: add Sierra Wireless MC74xx/EM74xx Bjørn Mork
2015-12-09  3:28     ` Greg Kroah-Hartman
2015-12-07 21:26 ` [PATCH 4.1 00/95] 4.1.14-stable review Guenter Roeck
2015-12-09  3:19   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151207142740.420797070@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=santosh.shilimkar@oracle.com \
    --cc=sasha.levin@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).