projects
/
platform
/
kernel
/
linux-rpi.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
2be922f
)
net/smc: fix NULL pointer dereference on sock_create_kern() error path
author
Davide Caratti
<dcaratti@redhat.com>
Wed, 28 Feb 2018 11:44:09 +0000
(12:44 +0100)
committer
David S. Miller
<davem@davemloft.net>
Wed, 28 Feb 2018 17:30:25 +0000
(12:30 -0500)
when sock_create_kern(..., a) returns an error, 'a' might not be a valid
pointer, so it shouldn't be dereferenced to read a->sk->sk_sndbuf and
and a->sk->sk_rcvbuf; not doing that caused the following crash:
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4254 Comm: syzkaller919713 Not tainted 4.16.0-rc1+ #18
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:smc_create+0x14e/0x300 net/smc/af_smc.c:1410
RSP: 0018:
ffff8801b06afbc8
EFLAGS:
00010202
RAX:
dffffc0000000000
RBX:
ffff8801b63457c0
RCX:
ffffffff85a3e746
RDX:
0000000000000004
RSI:
00000000ffffffff
RDI:
0000000000000020
RBP:
ffff8801b06afbf0
R08:
00000000000007c0
R09:
0000000000000000
R10:
0000000000000000
R11:
0000000000000000
R12:
0000000000000000
R13:
ffff8801b6345c08
R14:
00000000ffffffe9
R15:
ffffffff8695ced0
FS:
0000000001afb880
(0000) GS:
ffff8801db200000
(0000)
knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000020000040
CR3:
00000001b0721004
CR4:
00000000001606f0
DR0:
0000000000000000
DR1:
0000000000000000
DR2:
0000000000000000
DR3:
0000000000000000
DR6:
00000000fffe0ff0
DR7:
0000000000000400
Call Trace:
__sock_create+0x4d4/0x850 net/socket.c:1285
sock_create net/socket.c:1325 [inline]
SYSC_socketpair net/socket.c:1409 [inline]
SyS_socketpair+0x1c0/0x6f0 net/socket.c:1366
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x4404b9
RSP: 002b:
00007fff44ab6908
EFLAGS:
00000246
ORIG_RAX:
0000000000000035
RAX:
ffffffffffffffda
RBX:
0000000000000000
RCX:
00000000004404b9
RDX:
0000000000000000
RSI:
0000000000000001
RDI:
000000000000002b
RBP:
00007fff44ab6910
R08:
0000000000000002
R09:
00007fff44003031
R10:
0000000020000040
R11:
0000000000000246
R12:
ffffffffffffffff
R13:
0000000000000006
R14:
0000000000000000
R15:
0000000000000000
Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 01 00 00 4c 8b a3 48 04 00 00 48
b8
00 00 00 00 00 fc ff df 49 8d 7c 24 20 48 89 fa 48 c1 ea 03 <80> 3c 02
00
0f 85 82 01 00 00 4d 8b 7c 24 20 48 b8 00 00 00 00
RIP: smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP:
ffff8801b06afbc8
Fixes: cd6851f30386 smc: remote memory buffers (RMBs)
Reported-and-tested-by: syzbot+aa0227369be2dcc26ebe@syzkaller.appspotmail.com
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/smc/af_smc.c
patch
|
blob
|
history
diff --git
a/net/smc/af_smc.c
b/net/smc/af_smc.c
index da1a5cdefd13e96ac4acbec1a891a73af09dfa77..8cc97834d4f647f6d5ed5879e25276d5bd86338c 100644
(file)
--- a/
net/smc/af_smc.c
+++ b/
net/smc/af_smc.c
@@
-1406,8
+1406,10
@@
static int smc_create(struct net *net, struct socket *sock, int protocol,
smc->use_fallback = false; /* assume rdma capability first */
rc = sock_create_kern(net, PF_INET, SOCK_STREAM,
IPPROTO_TCP, &smc->clcsock);
- if (rc)
+ if (rc)
{
sk_common_release(sk);
+ goto out;
+ }
smc->sk.sk_sndbuf = max(smc->clcsock->sk->sk_sndbuf, SMC_BUF_MIN_SIZE);
smc->sk.sk_rcvbuf = max(smc->clcsock->sk->sk_rcvbuf, SMC_BUF_MIN_SIZE);