[t,x,z,a,1/1] RDS: null pointer dereference in rds_atomic_free_op

Message ID 20180131164759.19957-2-benjamin.romer@canonical.com
State New
Headers show
Series
  • Fix for CVE-2018-5333
Related show

Commit Message

Benjamin M Romer Jan. 31, 2018, 4:47 p.m.
From: Mohamed Ghannam <simo.ghannam@gmail.com>

set rm->atomic.op_active to 0 when rds_pin_pages() fails
or the user supplied address is invalid,
this prevents a NULL pointer usage in rds_atomic_free_op()

Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2018-5333
(cherry picked from commit 7d11f77f84b27cef452cee332f4e469503084737)
Signed-off-by: Benjamin M Romer <benjamin.romer@canonical.com>
---
 net/rds/rdma.c | 1 +
 1 file changed, 1 insertion(+)

Patch

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 8d3a851a3476..f334692fcadd 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -866,6 +866,7 @@  int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 err:
 	if (page)
 		put_page(page);
+	rm->atomic.op_active = 0;
 	kfree(rm->atomic.op_notifier);
 
 	return ret;