From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Santosh Shilimkar <santosh.shilimkar@oracle.com>,
Sasha Levin <sasha.levin@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.2 030/124] RDS: verify the underlying transport exists before creating a connection
Date: Mon, 7 Dec 2015 09:55:20 -0500 [thread overview]
Message-ID: <20151207144921.141532993@linuxfoundation.org> (raw)
In-Reply-To: <20151207144919.656035367@linuxfoundation.org>
4.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
[ Upstream commit 74e98eb085889b0d2d4908f59f6e00026063014f ]
There was no verification that an underlying transport exists when creating
a connection, this would cause dereferencing a NULL ptr.
It might happen on sockets that weren't properly bound before attempting to
send a message, which will cause a NULL ptr deref:
[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[135546.051270] Modules linked in:
[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
[135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
[135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
[135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
[135546.064723] Stack:
[135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
[135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
[135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
[135546.068629] Call Trace:
[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
[135546.071981] rds_sendmsg (net/rds/send.c:1058)
[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
[135546.076349] ? __might_fault (mm/memory.c:3795)
[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
[135546.078856] SYSC_sendto (net/socket.c:1657)
[135546.079596] ? SYSC_connect (net/socket.c:1628)
[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/connection.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -187,6 +187,12 @@ new_conn:
}
}
+ if (trans == NULL) {
+ kmem_cache_free(rds_conn_slab, conn);
+ conn = ERR_PTR(-ENODEV);
+ goto out;
+ }
+
conn->c_trans = trans;
ret = trans->conn_alloc(conn, gfp);
next prev parent reply other threads:[~2015-12-07 14:55 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-07 14:54 [PATCH 4.2 000/124] 4.2.7-stable review Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 002/124] tipc: allow non-linear first fragment buffer Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 003/124] tcp: remove improper preemption check in tcp_xmit_probe_skb() Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 004/124] netlink: fix locking around NETLINK_LIST_MEMBERSHIPS Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 006/124] macvtap: unbreak receiving of gro skb with frag list Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 007/124] ppp: fix pppoe_dev deletion condition in pppoe_release() Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 008/124] amd-xgbe: Use wmb before updating current descriptor count Greg Kroah-Hartman
2015-12-07 14:54 ` [PATCH 4.2 009/124] amd-xgbe: Fix race between access of desc and desc index Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 010/124] net: fec: Remove unneeded use of IS_ERR_VALUE() macro Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 011/124] ipv6: gre: support SIT encapsulation Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 012/124] net: fec: normalize return value of pm_runtime_get_sync() in MDIO write Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 013/124] fib_trie: leaf_walk_rcu should not compute key if key is less than pn->key Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 014/124] RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 015/124] net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 016/124] tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 017/124] ipv4: fix to not remove local route on link down Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 018/124] ipv4: update RTNH_F_LINKDOWN flag on UP event Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 019/124] stmmac: Correctly report PTP capabilities Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 020/124] ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 022/124] sit: fix sit0 percpu double allocations Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 023/124] sfc: push partner queue for skb->xmit_more Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 024/124] net: avoid NULL deref in inet_ctl_sock_destroy() Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 025/124] ipv6: clean up dev_snmp6 proc entry when we fail to initialize inet6_dev Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 026/124] ipv4: disable BH when changing ip local port range Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 027/124] packet: race condition in packet_bind Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 028/124] bonding: fix panic on non-ARPHRD_ETHER enslave failure Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 029/124] net: fix a race in dst_release() Greg Kroah-Hartman
2015-12-07 14:55 ` Greg Kroah-Hartman [this message]
2015-12-07 14:55 ` [PATCH 4.2 031/124] ARM: 8426/1: dma-mapping: add missing range check in dma_mmap() Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 032/124] ARM: 8427/1: dma-mapping: add support for offset parameter " Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 033/124] ARM: common: edma: Fix channel parameter for irq callbacks Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 034/124] ARM: dts: imx27.dtsi: change the clock information for usb Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 035/124] ARM: tegra: paz00: use con_ids to refer GPIOs in gpiod_lookup table Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 036/124] ARM: at91/dt: corrections to i2c1 declaration to sama5d4 Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 037/124] ARM: at91: pm: at91_pm_suspend_in_sram() must be 8-byte aligned Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 038/124] ARM: dts: Fix WLAN regression on omap5-uevm Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 039/124] ARM: dts: sun6i: hummingbird: Fix VDD-CPU and VDD-GPU regulator names Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 040/124] ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 041/124] MIPS: lantiq: add clk_round_rate() Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 042/124] MIPS: CDMM: Add builtin_mips_cdmm_driver() macro Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 043/124] MIPS: ath79: Fix the DDR control initialization on ar71xx and ar934x Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 044/124] MIPS: KVM: Fix ASID restoration logic Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 045/124] MIPS: KVM: Fix CACHE immediate offset sign extension Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 046/124] MIPS: KVM: Uninit VCPU in vcpu_create error path Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 048/124] kvm: x86: zero EFER on INIT Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 052/124] KVM: x86: obey KVM_X86_QUIRK_CD_NW_CLEARED in kvm_set_cr0() Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 053/124] KVM: x86: work around infinite loop in microcode when #AC is delivered Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 054/124] x86/setup: Extend low identity map to cover whole kernel range Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 055/124] x86/setup: Fix low identity map for >= 2GB " Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 056/124] x86/irq: Probe for PIC presence before allocating descs for legacy IRQs Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 057/124] x86/cpu: Call verify_cpu() after having entered long mode too Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 058/124] x86/cpu: Fix SMAP check in PVOPS environments Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 059/124] x86/fpu: Fix get_xsave_addr() behavior under virtualization Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 060/124] x86/fpu: Fix 32-bit signal frame handling Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 061/124] x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 062/124] x86/mpx: Fix 32-bit address space calculation Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 063/124] mac80211: Fix local deauth while associating Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 064/124] mac80211: fix driver RSSI event calculations Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 065/124] mac80211: allow null chandef in tracing Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 066/124] mac80211: fix divide by zero when NOA update Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 067/124] nl80211: Fix potential memory leak from parse_acl_data Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 068/124] NFC: nci: Fix incorrect data chaining when sending data Greg Kroah-Hartman
2015-12-07 14:55 ` [PATCH 4.2 069/124] NFC: nci: Fix improper management of HCI return code Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 070/124] NFC: nci: extract pipe value using NCI_HCP_MSG_GET_PIPE Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 071/124] iwlwifi: pcie: fix (again) prepare card flow Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 072/124] iwlwifi: Add new PCI IDs for the 8260 series Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 073/124] net: mvneta: Fix CPU_MAP registers initialisation Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 074/124] net: mvneta: fix error path for building skb Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 075/124] fs/proc, core/debug: Dont expose absolute kernel addresses via wchan Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 076/124] clk: iproc: Fix PLL output frequency calculation Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 077/124] clk: versatile-icst: fix memory leak Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 078/124] mfd: twl6040: Fix deferred probe handling for clk32k Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 079/124] mwifiex: fix mwifiex_rdeeprom_read() Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 080/124] staging: rtl8712: Add device ID for Sitecom WLA2100 Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 081/124] Bluetooth: hidp: fix device disconnect on idle timeout Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 082/124] Bluetooth: ath3k: Add new AR3012 0930:021c id Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 083/124] Bluetooth: ath3k: Add support of AR3012 0cf3:817b device Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 084/124] Bluetooth: Fix removing connection parameters when unpairing Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 085/124] can: Use correct type in sizeof() in nla_put() Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 086/124] can: sja1000: clear interrupts on start Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 087/124] arm64: Fix compat register mappings Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 088/124] arm64: page-align sections for DEBUG_RODATA Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 089/124] ath10k: use stations current operating mode from assoc request Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 090/124] ath10k: fix invalid NSS for 4x4 devices Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 091/124] KVM: s390: SCA must not cross page boundaries Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 092/124] KVM: s390: fix wrong lookup of VCPUs by array index Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 093/124] KVM: s390: avoid memory overwrites on emergency signal injection Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 095/124] usb: gadget: net2280: restore ep_cfg after defect7374 workaround Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 096/124] usb: gadget: atmel_usba_udc: Expose correct device speed Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 097/124] usb: dwc3: gadget: let us set lower max_speed Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 098/124] usb: chipidea: otg: gadget module load and unload support Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 099/124] usb: dwc3: pci: Add the Synopsys HAPS AXI Product ID Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 100/124] usb: dwc3: pci: Add the PCI Product ID for Synopsys USB 3.1 Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 101/124] usb: dwc3: Support Synopsys USB 3.1 IP Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 102/124] usb: dwc3: pci: Add platform data for Synopsys HAPS Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 103/124] usb: dwc3: Add dis_enblslpm_quirk Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 104/124] usb: dwc3: pci: Set enblslpm quirk for Synopsys platforms Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 105/124] usb: chipidea: imx: refine clock operations to adapt for all platforms Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 106/124] ALSA: usb: Add native DSD support for Aune X1S Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 107/124] usb: ehci-orion: fix probe for !GENERIC_PHY Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 108/124] usblp: do not set TASK_INTERRUPTIBLE before lock Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 112/124] USB: ti_usb_3410_5052: Add Honeywell HGI80 ID Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 115/124] ALSA: usb-audio: add packet size quirk for the Medeli DD305 Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 116/124] ALSA: usb-audio: prevent CH345 multiport output SysEx corruption Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 117/124] ALSA: usb-audio: work around CH345 input " Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 120/124] tty: Fix tty_send_xchar() lock order inversion Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 121/124] xhci: Workaround to get Intel xHCI reset working more reliably Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 122/124] staging/lustre: use jiffies for lp_last_query times Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 123/124] xen/events: Always allocate legacy interrupts on PV guests Greg Kroah-Hartman
2015-12-07 14:56 ` [PATCH 4.2 124/124] KVM: s390: enable SIMD only when no VCPUs were created Greg Kroah-Hartman
2015-12-07 17:19 ` [PATCH 4.2 000/124] 4.2.7-stable review Shuah Khan
2015-12-07 21:36 ` Guenter Roeck
2015-12-07 21:54 ` Kevin Hilman
2015-12-09 3:23 ` Greg Kroah-Hartman
[not found] ` <56660ec6.4f1a1c0a.b13a9.4425@mx.google.com>
2015-12-07 22:58 ` Kevin Hilman
2015-12-09 3:24 ` Greg Kroah-Hartman
2015-12-08 4:56 ` Sudip Mukherjee
2015-12-09 3:16 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151207144921.141532993@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=santosh.shilimkar@oracle.com \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).