linux-hardened/net/rds
Sasha Levin 74e98eb085 RDS: verify the underlying transport exists before creating a connection
There was no verification that an underlying transport exists when creating
a connection, this would cause dereferencing a NULL ptr.

It might happen on sockets that weren't properly bound before attempting to
send a message, which will cause a NULL ptr deref:

[135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[135546.051270] Modules linked in:
[135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
[135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
[135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
[135546.055666] RSP: 0018:ffff8800bc70fab0  EFLAGS: 00010202
[135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
[135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
[135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
[135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
[135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
[135546.061668] FS:  00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
[135546.062836] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
[135546.064723] Stack:
[135546.065048]  ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
[135546.066247]  0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
[135546.067438]  1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
[135546.068629] Call Trace:
[135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
[135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
[135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
[135546.071981] rds_sendmsg (net/rds/send.c:1058)
[135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
[135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
[135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
[135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
[135546.076349] ? __might_fault (mm/memory.c:3795)
[135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
[135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
[135546.078856] SYSC_sendto (net/socket.c:1657)
[135546.079596] ? SYSC_connect (net/socket.c:1628)
[135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
[135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
[135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
[135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
[135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
[135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1

Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-09 12:38:30 -07:00
..
af_rds.c RDS: add a sock_destruct callback debug aid 2015-08-25 13:35:30 -07:00
bind.c RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net 2015-08-07 11:29:57 -07:00
cong.c rds: rds_cong_queue_updates needs to defer the congestion update transmission 2015-02-11 14:35:44 -08:00
connection.c RDS: verify the underlying transport exists before creating a connection 2015-09-09 12:38:30 -07:00
ib.c RDS: push FMR pool flush work to its own worker 2015-08-25 16:28:11 -07:00
ib.h RDS: push FMR pool flush work to its own worker 2015-08-25 16:28:11 -07:00
ib_cm.c RDS: Don't destroy the rdma id until after we're done using it 2015-08-25 13:35:31 -07:00
ib_rdma.c RDS: remove superfluous from rds_ib_alloc_fmr() 2015-08-25 16:28:11 -07:00
ib_recv.c RDS: fix the dangling reference to rds_ib_incoming_slab 2015-08-25 16:28:10 -07:00
ib_ring.c
ib_send.c RDS: Make sure we do a signaled send for large-send 2015-08-25 13:35:30 -07:00
ib_stats.c RDS: Move atomic stats from general to ib-specific area 2010-09-08 18:12:20 -07:00
ib_sysctl.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
info.c rds: fix an integer overflow test in rds_info_getsockopt() 2015-08-03 15:20:16 -07:00
info.h
iw.c RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net 2015-08-07 11:29:57 -07:00
iw.h rds: switch ->inc_copy_to_user() to passing iov_iter 2014-11-24 05:16:43 -05:00
iw_cm.c RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net 2015-08-07 11:29:57 -07:00
iw_rdma.c rds: avoid potential stack overflow 2015-03-12 00:28:01 -04:00
iw_recv.c rds: switch ->inc_copy_to_user() to passing iov_iter 2014-11-24 05:16:43 -05:00
iw_ring.c
iw_send.c rds: re-entry of rds_ib_xmit/rds_iw_xmit 2015-06-02 09:22:31 -04:00
iw_stats.c
iw_sysctl.c rds: remove the unneed NULL checking 2014-05-09 15:59:45 -04:00
Kconfig net/rds: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:40:02 -08:00
loop.c RDS: use gfp flags from caller in conn_alloc() 2012-03-22 19:29:58 -04:00
loop.h
Makefile Net: rds: Makefile: Remove deprecated items 2010-11-22 08:16:15 -08:00
message.c rds: Make rds_message_copy_from_user() return 0 on success. 2015-02-07 22:41:56 -08:00
page.c net: Fix (nearly-)kernel-doc comments for various functions 2012-07-10 23:13:45 -07:00
rdma.c RDS: Fix rds MR reference count in rds_rdma_unuse() 2015-08-25 16:28:10 -07:00
rdma_transport.c RDS: check for valid cm_id before initiating connection 2015-08-25 13:35:31 -07:00
rdma_transport.h rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
rds.h RDS: make sure we post recv buffers 2015-08-25 13:35:30 -07:00
recv.c net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
send.c RDS: return EMSGSIZE for oversize requests before processing/queueing 2015-08-25 13:35:31 -07:00
stats.c net/rds: zero last byte for strncpy 2013-03-08 00:35:44 -05:00
sysctl.c net: rds: use correct size for max unacked packets and bytes 2015-02-04 16:07:27 -08:00
tcp.c RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns. 2015-08-07 11:29:58 -07:00
tcp.h RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns. 2015-08-07 11:29:58 -07:00
tcp_connect.c RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns. 2015-08-07 11:29:58 -07:00
tcp_listen.c RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns. 2015-08-07 11:29:58 -07:00
tcp_recv.c rds: switch ->inc_copy_to_user() to passing iov_iter 2014-11-24 05:16:43 -05:00
tcp_send.c arch: Mass conversion of smp_mb__*() 2014-04-18 14:20:48 +02:00
tcp_stats.c net: rds: fix const array syntax 2011-07-01 16:16:19 -07:00
threads.c net/rds: call rds_conn_drop instead of open code it at rds_connect_complete 2014-10-03 12:51:59 -07:00
transport.c RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net 2015-08-07 11:29:57 -07:00