Message ID | 20240326153132.55580-1-mngyadam@amazon.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 62fc3357e079a07a22465b9b6ef71bb6ea75ee4b |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net/rds: fix possible cp null dereference | expand |
On Tue, Mar 26, 2024 at 04:31:33PM +0100, Mahmoud Adam wrote: > cp might be null, calling cp->cp_conn would produce null dereference > > Fixes: c055fc00c07b ("net/rds: fix WARNING in rds_conn_connect_if_down") > Cc: stable@vger.kernel.org # v4.19+ > Signed-off-by: Mahmoud Adam <mngyadam@amazon.com> Thanks Mahmoud, As per some details below, this seems to be a valid concern to me. And the cited commit does seem to introduce this problem. Reviewed-by: Simon Horman <horms@kernel.org> It is probably not necessary to repost because of this, but in future, please target bug fixes for Networking against the net tree, which should be designated in the subject. [PATCH net] ... See: https://docs.kernel.org/process/maintainer-netdev.html > --- > This was found by our coverity bot, and only tested by building the kernel. > also was reported here: https://lore.kernel.org/all/202403071132.37BBF46E@keescook/ > > net/rds/rdma.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/rds/rdma.c b/net/rds/rdma.c > index a4e3c5de998b..00dbcd4d28e6 100644 > --- a/net/rds/rdma.c > +++ b/net/rds/rdma.c > @@ -302,7 +302,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args, > } > ret = PTR_ERR(trans_private); > /* Trigger connection so that its ready for the next retry */ > - if (ret == -ENODEV) > + if (ret == -ENODEV && cp) > rds_conn_connect_if_down(cp->cp_conn); > goto out; > } Analysis: * cp is a parameter of __rds_rdma_map and is not reassigned. * The following call-sites pass a NULL cp argument to __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary) trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis. The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL. * ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute. Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Tue, 26 Mar 2024 16:31:33 +0100 you wrote: > cp might be null, calling cp->cp_conn would produce null dereference > > Fixes: c055fc00c07b ("net/rds: fix WARNING in rds_conn_connect_if_down") > Cc: stable@vger.kernel.org # v4.19+ > Signed-off-by: Mahmoud Adam <mngyadam@amazon.com> > --- > This was found by our coverity bot, and only tested by building the kernel. > also was reported here: https://lore.kernel.org/all/202403071132.37BBF46E@keescook/ > > [...] Here is the summary with links: - net/rds: fix possible cp null dereference https://git.kernel.org/netdev/net/c/62fc3357e079 You are awesome, thank you!
diff --git a/net/rds/rdma.c b/net/rds/rdma.c index a4e3c5de998b..00dbcd4d28e6 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -302,7 +302,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args, } ret = PTR_ERR(trans_private); /* Trigger connection so that its ready for the next retry */ - if (ret == -ENODEV) + if (ret == -ENODEV && cp) rds_conn_connect_if_down(cp->cp_conn); goto out; }
cp might be null, calling cp->cp_conn would produce null dereference Fixes: c055fc00c07b ("net/rds: fix WARNING in rds_conn_connect_if_down") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Mahmoud Adam <mngyadam@amazon.com> --- This was found by our coverity bot, and only tested by building the kernel. also was reported here: https://lore.kernel.org/all/202403071132.37BBF46E@keescook/ net/rds/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.40.1