Re: [V9fs-developer] [PATCH] 9p: fix multiple NULL-pointer-dereferences

From: piaojun <piaojun@huawei.com>
To: Dominique Martinet <asmadeus@codewreck.org>,
	Tomas Bortoli <tomasbortoli@gmail.com>
Cc: <v9fs-developer@lists.sourceforge.net>,
	<syzkaller@googlegroups.com>, <davem@davemloft.net>,
	<linux-kernel@vger.kernel.org>, <netdev@vger.kernel.org>
Subject: Re: [V9fs-developer] [PATCH] 9p: fix multiple NULL-pointer-dereferences
Date: Sat, 28 Jul 2018 08:58:54 +0800	[thread overview]
Message-ID: <5B5BBFCE.50002@huawei.com> (raw)
In-Reply-To: <20180727153904.GA500@nautica>

Hi Tomas & Dominique,

I could not recieve the original patch. Did the patch CC v9fs developer
maillist?

Thanks,
Jun

On 2018/7/27 23:39, Dominique Martinet wrote:
> Tomas Bortoli wrote on Fri, Jul 27, 2018:
>> Added checks to prevent GPFs from raising.
>>
>> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
>> Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com
> 
> LGTM, I'll take this. Thanks!
> 
> Just a note for future patchs that have multiple versions, it's usually
> good to write in the subject [PATCH v2] (then v3 etc) so we can easily
> tell it's a new version.
> If the thread isn't too long I'd also recommend considering setting a
> reply-to to the previous patch so we can easily compare versions/write
> off old patches.
> 
>> ---
>>  net/9p/trans_fd.c     | 5 ++++-
>>  net/9p/trans_rdma.c   | 3 +++
>>  net/9p/trans_virtio.c | 3 +++
>>  net/9p/trans_xen.c    | 3 +++
>>  4 files changed, 13 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
>> index 964260265b13..e2ef3c782c53 100644
>> --- a/net/9p/trans_fd.c
>> +++ b/net/9p/trans_fd.c
>> @@ -945,7 +945,7 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args)
>>  	if (err < 0)
>>  		return err;
>>  
>> -	if (valid_ipaddr4(addr) < 0)
>> +	if (addr == NULL || valid_ipaddr4(addr) < 0)
>>  		return -EINVAL;
>>  
>>  	csocket = NULL;
>> @@ -995,6 +995,9 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
>>  
>>  	csocket = NULL;
>>  
>> +	if (addr == NULL)
>> +		return -EINVAL;
>> +
>>  	if (strlen(addr) >= UNIX_PATH_MAX) {
>>  		pr_err("%s (%d): address too long: %s\n",
>>  		       __func__, task_pid_nr(current), addr);
>> diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
>> index 2649b2ebf961..2ab4574183c9 100644
>> --- a/net/9p/trans_rdma.c
>> +++ b/net/9p/trans_rdma.c
>> @@ -645,6 +645,9 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args)
>>  	struct rdma_conn_param conn_param;
>>  	struct ib_qp_init_attr qp_attr;
>>  
>> +	if (addr == NULL)
>> +		return -EINVAL;
>> +
>>  	/* Parse the transport specific mount options */
>>  	err = parse_opts(args, &opts);
>>  	if (err < 0)
>> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
>> index 06dcd3cc6a29..8ca356eb66bb 100644
>> --- a/net/9p/trans_virtio.c
>> +++ b/net/9p/trans_virtio.c
>> @@ -654,6 +654,9 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args)
>>  	int ret = -ENOENT;
>>  	int found = 0;
>>  
>> +	if (devname == NULL)
>> +		return -EINVAL;
>> +
>>  	mutex_lock(&virtio_9p_lock);
>>  	list_for_each_entry(chan, &virtio_chan_list, chan_list) {
>>  		if (!strncmp(devname, chan->tag, chan->tag_len) &&
>> diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
>> index 2e2b8bca54f3..c2d54ac76bfd 100644
>> --- a/net/9p/trans_xen.c
>> +++ b/net/9p/trans_xen.c
>> @@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_client *client, const char *addr, char *args)
>>  {
>>  	struct xen_9pfs_front_priv *priv;
>>  
>> +	if (addr == NULL)
>> +		return -EINVAL;
>> +
>>  	read_lock(&xen_9pfs_lock);
>>  	list_for_each_entry(priv, &xen_9pfs_devs, list) {
>>  		if (!strcmp(priv->tag, addr)) {
> 