From patchwork Wed Jan 31 16:47:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin M Romer X-Patchwork-Id: 868015 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zWq1l3XwFz9s7F; Thu, 1 Feb 2018 03:48:11 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1egvYK-0004Ht-Us; Wed, 31 Jan 2018 16:48:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1egvYJ-0004HU-Lb for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 16:48:03 +0000 Received: from mail-qk0-f197.google.com ([209.85.220.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1egvYJ-0000QR-BG for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 16:48:03 +0000 Received: by mail-qk0-f197.google.com with SMTP id s5so10486065qkl.13 for ; Wed, 31 Jan 2018 08:48:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=3EPBkWj2bGakTn3Q3t+oZIpf/EtoJhKMfW1rm9bpnLw=; b=mnE/klE46g+FUAosquqP5shuOjeDyCEhZu9bnYyHLRLM1z1tH0JvKp+1R2Xws55fJ4 MiQr5rHYCB0MQAw1H6TEVGZSEZiNWusGRuTqcdBtRej+gswSTGH6W0F7WkZhxJzGslrR bXbgDbfrKrL6W2o8hHVK2uyAz928AdRMr8mdi+BZ4hlepf/+S4au4naouIpfbayTg6VX SGr01xl+xTb9sd+r2SjmQT+hYZmKWaya6eT91spJ2QtOKANu3P1mllWtNMFZ5KGzpdVv nCWlTe/Ck9/utki+svncbfjlfXozsvnMltaf4b3hVD4oDGPTHzVkKx6ztqtNQWVUfJ03 KyIA== X-Gm-Message-State: AKwxytcHCDwMv6RtSJzDNkyaCvN67TfUYFac5zd40monluW5ao2jOAzd zJ1BS1FCoZol8k480P2UxWPybwVH2KCfzNkKFHAe6xFOfLxcEao89FcWpS04kVC54e5gQ2EizT4 /WGdC/jHX5x/C5C/l8jjB4kc3WPv1HBBdvgldFtaa6g== X-Received: by 10.200.81.193 with SMTP id d1mr55943098qtn.109.1517417282199; Wed, 31 Jan 2018 08:48:02 -0800 (PST) X-Google-Smtp-Source: AH8x225Bt2QZyQbaBRpJV2VZkY4Bf1x3almDCh06cc4psmRUI8zpXlctswbJtFut4HMO1sSO5bVpYA== X-Received: by 10.200.81.193 with SMTP id d1mr55943073qtn.109.1517417281874; Wed, 31 Jan 2018 08:48:01 -0800 (PST) Received: from beast (c-68-80-13-9.hsd1.pa.comcast.net. [68.80.13.9]) by smtp.gmail.com with ESMTPSA id c188sm10828638qkg.92.2018.01.31.08.48.00 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 31 Jan 2018 08:48:00 -0800 (PST) Received: from ben by beast with local (Exim 4.89) (envelope-from ) id 1egvYF-0005Cc-PU for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 11:47:59 -0500 From: Benjamin M Romer To: kernel-team@lists.ubuntu.com Subject: [t x z a][PATCH 1/1] RDS: null pointer dereference in rds_atomic_free_op Date: Wed, 31 Jan 2018 11:47:59 -0500 Message-Id: <20180131164759.19957-2-benjamin.romer@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180131164759.19957-1-benjamin.romer@canonical.com> References: <20180131164759.19957-1-benjamin.romer@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Mohamed Ghannam set rm->atomic.op_active to 0 when rds_pin_pages() fails or the user supplied address is invalid, this prevents a NULL pointer usage in rds_atomic_free_op() Signed-off-by: Mohamed Ghannam Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller CVE-2018-5333 (cherry picked from commit 7d11f77f84b27cef452cee332f4e469503084737) Signed-off-by: Benjamin M Romer --- net/rds/rdma.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 8d3a851a3476..f334692fcadd 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -866,6 +866,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm, err: if (page) put_page(page); + rm->atomic.op_active = 0; kfree(rm->atomic.op_notifier); return ret;