From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
Ying Xue <ying.xue@windriver.com>,
Jon Maloy <jon.maloy@ericsson.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 37/73] tipc: fix NULL pointer dereference in shutdown()
Date: Wed, 28 Sep 2016 11:05:07 +0200 [thread overview]
Message-ID: <20160928090437.259036557@linuxfoundation.org> (raw)
In-Reply-To: <20160928090434.509091655@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit d2fbdf76b85bcdfe57b8ef2ba09d20e8ada79abd ]
tipc_msg_create() can return a NULL skb and if so, we shouldn't try to
call tipc_node_xmit_skb() on it.
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 3 PID: 30298 Comm: trinity-c0 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800baf09980 ti: ffff8800595b8000 task.ti: ffff8800595b8000
RIP: 0010:[<ffffffff830bb46b>] [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
RSP: 0018:ffff8800595bfce8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003023b0e0
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff83d12580
RBP: ffff8800595bfd78 R08: ffffed000b2b7f32 R09: 0000000000000000
R10: fffffbfff0759725 R11: 0000000000000000 R12: 1ffff1000b2b7f9f
R13: ffff8800595bfd58 R14: ffffffff83d12580 R15: dffffc0000000000
FS: 00007fcdde242700(0000) GS:ffff88011af80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcddde1db10 CR3: 000000006874b000 CR4: 00000000000006e0
DR0: 00007fcdde248000 DR1: 00007fcddd73d000 DR2: 00007fcdde248000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
Stack:
0000000000000018 0000000000000018 0000000041b58ab3 ffffffff83954208
ffffffff830bb400 ffff8800595bfd30 ffffffff8309d767 0000000000000018
0000000000000018 ffff8800595bfd78 ffffffff8309da1a 00000000810ee611
Call Trace:
[<ffffffff830c84a3>] tipc_shutdown+0x553/0x880
[<ffffffff825b4a3b>] SyS_shutdown+0x14b/0x170
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 90 00 b4 0b 83 c7 00 f1 f1 f1 f1 4c 8d 6d e0 c7 40 04 00 00 00 f4 c7 40 08 f3 f3 f3 f3 48 89 d8 48 c1 e8 03 c7 45 b4 00 00 00 00 <80> 3c 30 00 75 78 48 8d 7b 08 49 8d 75 c0 48 b8 00 00 00 00 00
RIP [<ffffffff830bb46b>] tipc_node_xmit_skb+0x6b/0x140
RSP <ffff8800595bfce8>
---[ end trace 57b0484e351e71f1 ]---
I feel like we should maybe return -ENOMEM or -ENOBUFS, but I'm not sure
userspace is equipped to handle that. Anyway, this is better than a GPF
and looks somewhat consistent with other tipc_msg_create() callers.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/socket.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2111,7 +2111,8 @@ restart:
TIPC_CONN_MSG, SHORT_H_SIZE,
0, dnode, onode, dport, oport,
TIPC_CONN_SHUTDOWN);
- tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
+ if (skb)
+ tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
}
tsk->connected = 0;
sock->state = SS_DISCONNECTING;
next prev parent reply other threads:[~2016-09-28 9:07 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160928090623uscas1p1076bd85a3fd981ed5a1284f5bebb1bbf@uscas1p1.samsung.com>
2016-09-28 9:04 ` [PATCH 4.4 00/73] 4.4.23-stable review Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 01/73] include/linux/kernel.h: change abs() macro so it uses consistent return type Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 02/73] Fix build warning in kernel/cpuset.c Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 03/73] reiserfs: fix "new_insert_key may be used uninitialized ..." Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 09/73] crypto: arm64/aes-ctr - fix NULL dereference in tail processing Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 10/73] crypto: arm/aes-ctr " Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 11/73] crypto: skcipher - Fix blkcipher walk OOM crash Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 12/73] crypto: echainiv - Replace chaining with multiplication Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 13/73] ocfs2/dlm: fix race between convert and migration Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 14/73] ocfs2: fix start offset to ocfs2_zero_range_for_truncate() Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 15/73] kbuild: Do not run modules_install and install in paralel Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 16/73] Makefile: revert "Makefile: Document ability to make file.lst and file.S" partially Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 17/73] tools: Support relative directory path for O= Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 18/73] kbuild: forbid kernel directory to contain spaces and colons Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 19/73] Kbuild: disable maybe-uninitialized warning for CONFIG_PROFILE_ALL_BRANCHES Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 20/73] gcov: disable -Wmaybe-uninitialized warning Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 21/73] Disable "maybe-uninitialized" warning globally Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 23/73] Makefile: Mute warning for __builtin_return_address(>0) for tracing only Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 24/73] net: caif: fix misleading indentation Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 26/73] [media] am437x-vfpe: fix typo in vpfe_get_app_input_index Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 27/73] ath9k: fix misleading indentation Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 28/73] iwlegacy: avoid warning about missing braces Greg Kroah-Hartman
2016-09-28 9:04 ` [PATCH 4.4 29/73] Staging: iio: adc: fix indent on break statement Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 30/73] nouveau: fix nv40_perfctr_next() cleanup regression Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 31/73] megaraid: fix null pointer check in megasas_detach_one() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 32/73] bonding: Fix bonding crash Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 33/73] Revert "af_unix: Fix splice-bind deadlock" Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 34/73] af_unix: split u->readlock into two: iolock and bindlock Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 35/73] vti: flush x-netns xfrm cache when vti interface is removed Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 36/73] net/irda: handle iriap_register_lsap() allocation failure Greg Kroah-Hartman
2016-09-28 9:05 ` Greg Kroah-Hartman [this message]
2016-09-28 9:05 ` [PATCH 4.4 38/73] net/mlx5: Added missing check of msg length in verifying its signature Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 39/73] net: dsa: bcm_sf2: Fix race condition while unmasking interrupts Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 40/73] Revert "phy: IRQ cannot be shared" Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 41/73] net: smc91x: fix SMC accesses Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 42/73] bridge: re-introduce fix parsing of MLDv2 reports Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 43/73] pwm: Mark all devices as "might sleep" Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 44/73] autofs races Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 45/73] autofs: use dentry flags to block walks during expire Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 46/73] xfs: prevent dropping ioend completions during buftarg wait Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 47/73] fsnotify: add a way to stop queueing events on group shutdown Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 48/73] fanotify: fix list corruption in fanotify_get_response() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 49/73] fix fault_in_multipages_...() on architectures with no-op access_ok() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 50/73] mtd: maps: sa1100-flash: potential NULL dereference Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 51/73] mtd: pmcmsp-flash: Allocating too much in init_msp_flash() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 52/73] power: reset: hisi-reboot: Unmap region obtained by of_iomap Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 53/73] fix memory leaks in tracing_buffers_splice_read() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 54/73] tracing: Move mutex to protect against resetting of seq data Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 55/73] mm: delete unnecessary and unsafe init_tlb_ubc() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 56/73] can: flexcan: fix resume function Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 57/73] nl80211: validate number of probe response CSA counters Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 58/73] btrfs: ensure that file descriptor used with subvol ioctls is a dir Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 59/73] i2c-eg20t: fix race between i2c init and interrupt enable Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 60/73] i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 61/73] MIPS: Fix pre-r6 emulation FPU initialisation Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 63/73] MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 64/73] MIPS: Remove compact branch policy Kconfig entries Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 65/73] MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...) Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 66/73] MIPS: Add a missing ".set pop" in an early commit Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 67/73] MIPS: paravirt: Fix undefined reference to smp_bootstrap Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 68/73] PM / hibernate: Restore processor state before using per-CPU variables Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 69/73] PM / hibernate: Fix rtree_next_node() to avoid walking off list ends Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 70/73] power_supply: tps65217-charger: fix missing platform_set_drvdata() Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 71/73] power: supply: max17042_battery: fix model download bug Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 72/73] qxl: check for kmap failures Greg Kroah-Hartman
2016-09-28 9:05 ` [PATCH 4.4 73/73] hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common() Greg Kroah-Hartman
2016-09-28 16:45 ` [PATCH 4.4 00/73] 4.4.23-stable review Shuah Khan
2016-09-28 22:43 ` Guenter Roeck
[not found] ` <57ec0f9e.07ddc20a.146f7.4be3@mx.google.com>
2016-09-29 9:01 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160928090437.259036557@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jon.maloy@ericsson.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vegard.nossum@oracle.com \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).