RDS: null pointer dereference in rds_atomic_free_op

Message ID 5a4d45ce.8b8a1c0a.1d072.e5e1@mx.google.com
State Accepted
Delegated to: David Miller
Headers show
Series
  • RDS: null pointer dereference in rds_atomic_free_op
Related show

Commit Message

simo.ghannam@gmail.com Jan. 3, 2018, 9:06 p.m.
From: Mohamed Ghannam <simo.ghannam@gmail.com>

set rm->atomic.op_active to 0 when rds_pin_pages() fails
or the user supplied address is invalid,
this prevents a NULL pointer usage in rds_atomic_free_op()

Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
---
 net/rds/rdma.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Santosh Shilimkar Jan. 3, 2018, 9:19 p.m. | #1
On 1/3/2018 1:06 PM, simo.ghannam@gmail.com wrote:
> From: Mohamed Ghannam <simo.ghannam@gmail.com>
> 
> set rm->atomic.op_active to 0 when rds_pin_pages() fails
> or the user supplied address is invalid,
> this prevents a NULL pointer usage in rds_atomic_free_op()
> 
> Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
> ---
Good catch !!

Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
David Miller Jan. 4, 2018, 7:20 p.m. | #2
From: simo.ghannam@gmail.com
Date: Wed,  3 Jan 2018 21:06:06 +0000

> From: Mohamed Ghannam <simo.ghannam@gmail.com>
> 
> set rm->atomic.op_active to 0 when rds_pin_pages() fails
> or the user supplied address is invalid,
> this prevents a NULL pointer usage in rds_atomic_free_op()
> 
> Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>

Applied and queued up for -stable, thanks.

Patch

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index bc2f1e0977d6..398932fbaf27 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -874,6 +874,7 @@  int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 err:
 	if (page)
 		put_page(page);
+	rm->atomic.op_active = 0;
 	kfree(rm->atomic.op_notifier);
 
 	return ret;