From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.6 11/56] net/irda: fix NULL pointer dereference on memory allocation failure
Date: Sun, 14 Aug 2016 22:37:15 +0200 [thread overview]
Message-ID: <20160814202505.367985274@linuxfoundation.org> (raw)
In-Reply-To: <20160814202504.908694181@linuxfoundation.org>
4.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d ]
I ran into this:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
RIP: 0010:[<ffffffff82bbf066>] [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP: 0018:ffff880111747bb8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
FS: 00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
Stack:
0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
Call Trace:
[<ffffffff82bca542>] irda_connect+0x562/0x1190
[<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
[<ffffffff825b4489>] SyS_connect+0x9/0x10
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
RIP [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP <ffff880111747bb8>
---[ end trace 4cda2588bc055b30 ]---
The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/irda/af_irda.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1024,8 +1024,11 @@ static int irda_connect(struct socket *s
}
/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }
/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;
next prev parent reply other threads:[~2016-08-14 20:37 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160814203815uscas1p2549802c8af27d2aa233de8bce43fe3ee@uscas1p2.samsung.com>
2016-08-14 20:37 ` [PATCH 4.6 00/56] 4.6.7-stable review Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 01/56] libnvdimm, dax: record the specified alignment of a dax-device instance Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 02/56] libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 03/56] ppp: defer netns reference release for ppp channel Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 04/56] tcp: make challenge acks less predictable Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 05/56] tcp: enable per-socket rate limiting of all challenge acks Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 06/56] bonding: set carrier off for devices created through netlink Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 07/56] net: bgmac: Fix infinite loop in bgmac_dma_tx_add() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 08/56] vlan: use a valid default mtu value for vlan over macsec Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 09/56] bridge: Fix incorrect re-injection of LLDP packets Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 10/56] net: ipv6: Always leave anycast and multicast groups on link down Greg Kroah-Hartman
2016-08-14 20:37 ` Greg Kroah-Hartman [this message]
2016-08-14 20:37 ` [PATCH 4.6 12/56] qed: Fix setting/clearing bit in completion bitmap Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 13/56] macsec: ensure rx_sa is set when validation is disabled Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 14/56] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 16/56] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 17/56] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 18/56] IB/hfi1: Correct issues with sc5 computation Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 19/56] IB/hfi1: Fix deadlock with txreq allocation slow path Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 20/56] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 21/56] regulator: qcom_smd: Remove list_voltage callback for rpm_smps_ldo_ops_fixed Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 22/56] random: strengthen input validation for RNDADDTOENTCNT Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 23/56] x86/mm/pat: Add support of non-default PAT MSR setting Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 24/56] x86/mm/pat: Add pat_disable() interface Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 25/56] x86/mm/pat: Replace cpu_has_pat with boot_cpu_has() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 26/56] x86/mtrr: Fix Xorg crashes in Qemu sessions Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 27/56] x86/mtrr: Fix PAT init handling when MTRR is disabled Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 28/56] x86/xen, pat: Remove PAT table init code from Xen Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 29/56] x86/pat: Document the PAT initialization sequence Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 30/56] x86/mm/pat: Fix BUG_ON() in mmap_mem() on QEMU/i386 Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 31/56] udf: Prevent stack overflow on corrupted filesystem mount Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 32/56] powerpc/eeh: Fix invalid cached PE primary bus Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 33/56] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 34/56] mm: memcontrol: fix swap counter leak on swapout from offline cgroup Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 35/56] mm: memcontrol: fix memcg id ref counter on swap charge move Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 36/56] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 37/56] block: fix use-after-free in seq file Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 38/56] sysv, ipc: fix security-layer leaking Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 39/56] radix-tree: account nodes to memcg only if explicitly requested Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 40/56] x86/microcode: Fix suspend to RAM with builtin microcode Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 41/56] x86/power/64: Fix hibernation return address corruption Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 42/56] fuse: fsync() did not return IO errors Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 43/56] fuse: fuse_flush must check mapping->flags for errors Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 44/56] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 45/56] Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements" Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 46/56] fs/dcache.c: avoid soft-lockup in dput() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 47/56] Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency" Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 48/56] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 49/56] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 50/56] serial: mvebu-uart: free the IRQ in ->shutdown() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 51/56] ext4: check for extents that wrap around Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 52/56] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 53/56] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 54/56] ext4: validate s_reserved_gdt_blocks on mount Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 55/56] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.6 56/56] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
2016-08-15 13:07 ` [PATCH 4.6 00/56] 4.6.7-stable review Guenter Roeck
2016-08-16 4:02 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160814202505.367985274@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).