From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com,
Ka-Cheong Poon <ka-cheong.poon@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.2 45/45] net/rds: An rds_sock is added too early to the hash table
Date: Sun, 29 Sep 2019 15:56:13 +0200 [thread overview]
Message-ID: <20190929135035.016426398@linuxfoundation.org> (raw)
In-Reply-To: <20190929135024.387033930@linuxfoundation.org>
From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
[ Upstream commit c5c1a030a7dbf8dd4e1fa4405ae9a89dc1d2a8db ]
In rds_bind(), an rds_sock is added to the RDS bind hash table before
rs_transport is set. This means that the socket can be found by the
receive code path when rs_transport is NULL. And the receive code
path de-references rs_transport for congestion update check. This can
cause a panic. An rds_sock should not be added to the bind hash table
before all the needed fields are set.
Reported-by: syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com
Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/bind.c | 40 ++++++++++++++++++----------------------
1 file changed, 18 insertions(+), 22 deletions(-)
diff --git a/net/rds/bind.c b/net/rds/bind.c
index 0f4398e7f2a7a..05464fd7c17af 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2019 Oracle and/or its affiliates. All rights reserved.
*
* This software is available to you under a choice of one of two
* licenses. You may choose to be licensed under the terms of the GNU
@@ -239,34 +239,30 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
goto out;
}
- sock_set_flag(sk, SOCK_RCU_FREE);
- ret = rds_add_bound(rs, binding_addr, &port, scope_id);
- if (ret)
- goto out;
-
- if (rs->rs_transport) { /* previously bound */
+ /* The transport can be set using SO_RDS_TRANSPORT option before the
+ * socket is bound.
+ */
+ if (rs->rs_transport) {
trans = rs->rs_transport;
if (trans->laddr_check(sock_net(sock->sk),
binding_addr, scope_id) != 0) {
ret = -ENOPROTOOPT;
- rds_remove_bound(rs);
- } else {
- ret = 0;
+ goto out;
}
- goto out;
- }
- trans = rds_trans_get_preferred(sock_net(sock->sk), binding_addr,
- scope_id);
- if (!trans) {
- ret = -EADDRNOTAVAIL;
- rds_remove_bound(rs);
- pr_info_ratelimited("RDS: %s could not find a transport for %pI6c, load rds_tcp or rds_rdma?\n",
- __func__, binding_addr);
- goto out;
+ } else {
+ trans = rds_trans_get_preferred(sock_net(sock->sk),
+ binding_addr, scope_id);
+ if (!trans) {
+ ret = -EADDRNOTAVAIL;
+ pr_info_ratelimited("RDS: %s could not find a transport for %pI6c, load rds_tcp or rds_rdma?\n",
+ __func__, binding_addr);
+ goto out;
+ }
+ rs->rs_transport = trans;
}
- rs->rs_transport = trans;
- ret = 0;
+ sock_set_flag(sk, SOCK_RCU_FREE);
+ ret = rds_add_bound(rs, binding_addr, &port, scope_id);
out:
release_sock(sk);
--
2.20.1
next prev parent reply other threads:[~2019-09-29 14:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-29 13:55 [PATCH 5.2 00/45] 5.2.18-stable review Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 01/45] Revert "Bluetooth: validate BLE connection interval updates" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 02/45] smb3: fix unmount hang in open_shroot Greg Kroah-Hartman
2019-10-01 20:41 ` Pavel Shilovskiy
2019-10-01 22:49 ` Sasha Levin
2019-10-01 22:58 ` Pavel Shilovskiy
2019-09-29 13:55 ` [PATCH 5.2 03/45] phy: qcom-qmp: Raise qcom_qmp_phy_enable() polling delay Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 04/45] phy: qcom-qmp: Correct ready status, again Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 05/45] net/ibmvnic: free reset work of removed device from queue Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 06/45] drm/amd/display: Allow cursor async updates for framebuffer swaps Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 07/45] drm/amd/display: Skip determining update type for async updates Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 08/45] drm/amd/display: Dont replace the dc_state for fast updates Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 09/45] powerpc/xive: Fix bogus error code returned by OPAL Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 10/45] drm/amd/display: readd -msse2 to prevent Clang from emitting libcalls to undefined SW FP routines Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 11/45] Revert "net: hns: fix LED configuration for marvell phy" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 12/45] HID: prodikeys: Fix general protection fault during probe Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 13/45] HID: sony: Fix memory corruption issue on cleanup Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 14/45] HID: logitech: Fix general protection fault caused by Logitech driver Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 15/45] HID: logitech-dj: Fix crash when initial logi_dj_recv_query_paired_devices fails Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 16/45] HID: hidraw: Fix invalid read in hidraw_ioctl Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 17/45] HID: Add quirk for HP X500 PIXART OEM mouse Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 18/45] mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 19/45] crypto: talitos - fix missing break in switch statement Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 20/45] clk: imx: imx8mm: fix audio pll setting Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 21/45] Revert "HID: logitech-hidpp: add USB PID for a few more supported mice" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 22/45] Revert "mm/z3fold.c: fix race between migration and destruction" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 23/45] ALSA: usb-audio: Add Hiby device family to quirks for native DSD support Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 24/45] ALSA: usb-audio: Add DSD support for EVGA NU Audio Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 25/45] ALSA: dice: fix wrong packet parameter for Alesis iO26 Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 26/45] ALSA: hda - Add laptop imic fixup for ASUS M9V laptop Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 27/45] ALSA: hda - Apply AMD controller workaround for Raven platform Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 28/45] platform/x86: i2c-multi-instantiate: Derive the device name from parent Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 29/45] objtool: Clobber user CFLAGS variable Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 30/45] Revert "f2fs: avoid out-of-range memory access" Greg Kroah-Hartman
2019-09-29 13:55 ` [PATCH 5.2 31/45] dm zoned: fix invalid memory access Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 32/45] net/ibmvnic: Fix missing { in __ibmvnic_reset Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 33/45] f2fs: fix to do sanity check on segment bitmap of LFS curseg Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 34/45] drm: Flush output polling on shutdown Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 35/45] drm/dp: Add DP_DPCD_QUIRK_NO_SINK_COUNT Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 36/45] net: dont warn in inet diag when IPV6 is disabled Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 37/45] Bluetooth: btrtl: HCI reset on close for Realtek BT chip Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 38/45] ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35 Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 39/45] drm/nouveau/disp/nv50-: fix center/aspect-corrected scaling Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 40/45] xfs: dont crash on null attr fork xfs_bmapi_read Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 41/45] xfrm: policy: avoid warning splat when merging nodes Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 42/45] netfilter: nft_socket: fix erroneous socket assignment Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 43/45] Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices Greg Kroah-Hartman
2019-09-29 13:56 ` [PATCH 5.2 44/45] net_sched: check cops->tcf_block in tc_bind_tclass() Greg Kroah-Hartman
2019-09-29 13:56 ` Greg Kroah-Hartman [this message]
2019-09-29 19:00 ` [PATCH 5.2 00/45] 5.2.18-stable review kernelci.org bot
2019-09-30 18:30 ` Guenter Roeck
2019-10-01 0:53 ` shuah
2019-10-01 1:10 ` Dan Rue
2019-10-01 14:58 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190929135035.016426398@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ka-cheong.poon@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+4b4f8163c2e246df3c4c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).