From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: Vegard Nossum <vegard.nossum@oracle.com>,
"David S . Miller" <davem@davemloft.net>,
Jiri Slaby <jslaby@suse.cz>
Subject: [patch added to 3.12-stable] net/irda: fix NULL pointer dereference on memory allocation failure
Date: Thu, 18 Aug 2016 14:49:14 +0200 [thread overview]
Message-ID: <20160818124953.31969-9-jslaby@suse.cz> (raw)
In-Reply-To: <20160818124953.31969-1-jslaby@suse.cz>
From: Vegard Nossum <vegard.nossum@oracle.com>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
[ Upstream commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d ]
I ran into this:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff8800b745f2c0 ti: ffff880111740000 task.ti: ffff880111740000
RIP: 0010:[<ffffffff82bbf066>] [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP: 0018:ffff880111747bb8 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000069dd8358
RDX: 0000000000000009 RSI: 0000000000000027 RDI: 0000000000000048
RBP: ffff880111747c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000069dd8358 R11: 1ffffffff0759723 R12: 0000000000000000
R13: ffff88011a7e4780 R14: 0000000000000027 R15: 0000000000000000
FS: 00007fc738404700(0000) GS:ffff88011af00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc737fdfb10 CR3: 0000000118087000 CR4: 00000000000006e0
Stack:
0000000000000200 ffff880111747bd8 ffffffff810ee611 ffff880119f1f220
ffff880119f1f4f8 ffff880119f1f4f0 ffff88011a7e4780 ffff880119f1f232
ffff880119f1f220 ffff880111747d58 ffffffff82bca542 0000000000000000
Call Trace:
[<ffffffff82bca542>] irda_connect+0x562/0x1190
[<ffffffff825ae582>] SYSC_connect+0x202/0x2a0
[<ffffffff825b4489>] SyS_connect+0x9/0x10
[<ffffffff8100334c>] do_syscall_64+0x19c/0x410
[<ffffffff83295ca5>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83 c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0 74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
RIP [<ffffffff82bbf066>] irttp_connect_request+0x36/0x710
RSP <ffff880111747bb8>
---[ end trace 4cda2588bc055b30 ]---
The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/irda/af_irda.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index f8133ff5b081..c95bafa65f5b 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1039,8 +1039,11 @@ static int irda_connect(struct socket *sock, struct sockaddr *uaddr,
}
/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }
/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;
--
2.9.3
next prev parent reply other threads:[~2016-08-18 12:50 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-18 12:49 [patch added to 3.12-stable] x86, asmlinkage, lguest: Pass in globals into assembler statement Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: at91_can: RX queue could get stuck at high bus load Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: fix handling of unmodifiable configuration options fix Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] can: fix oops caused by wrong rtnl dellink usage Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ipr: Clear interrupt on croc/crocodile when running with LSI Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] net: mvneta: set real interrupt per packet for tx_done Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] random32: add prandom_u32_max and convert open coded users Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] tcp: make challenge acks less predictable Jiri Slaby
2016-08-18 12:49 ` Jiri Slaby [this message]
2016-08-18 12:49 ` [patch added to 3.12-stable] tcp: consider recv buf for the initial window scale Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Fix mapped fault broken commpage handling Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Add missing gfn range check Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] HID: i2c-hid: set power sleep before shutdown Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] x86/mm: Improve switch_mm() barrier comments Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] arm: oabi compat: add missing access checks Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] apparmor: fix ref count leak when profile sha1 hash is read Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] block: fix use-after-free in seq file Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] sysv, ipc: fix security-layer leaking Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] fuse: fix wrong assignment of ->flags in fuse_send_init() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] crypto: gcm - Filter out async ghash if necessary Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] crypto: scatterwalk - Fix test in scatterwalk_done Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: check for extents that wrap around Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: fix deadlock during page writeback Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: don't call ext4_should_journal_data() on the journal inode Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: short-cut orphan cleanup on error Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] ext4: fix reference counting bug on block allocation error Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] USB: serial: option: add support for Telit LE910 PID 0x1206 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] gpio: pca953x: Fix NBANK calculation for PCA9536 Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] s5p-mfc: Set device name for reserved memory region devs Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] s5p-mfc: Add release callback for " Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] cifs: Check for existing directory when opening file with O_CREAT Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] cifs: fix crash due to race in hmac(md5) handling Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] random: properly align get_random_int_hash Jiri Slaby
2016-08-19 3:14 ` Eric Biggers
2016-08-19 7:07 ` Jiri Slaby
2016-08-18 12:49 ` [patch added to 3.12-stable] nfs: don't create zero-length requests Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160818124953.31969-9-jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=davem@davemloft.net \
--cc=stable@vger.kernel.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.