Re: [PATCH net] rds: Fix NULL pointer dereference in __rds_rdma_map

From: David Miller
Date: Wed Dec 06 2017 - 15:45:12 EST


From: Håkon Bugge <Haakon.Bugge@xxxxxxxxxx>
Date: Wed, 6 Dec 2017 17:18:28 +0100

> This is a fix for syzkaller719569, where memory registration was
> attempted without any underlying transport being loaded.
>
> Analysis of the case reveals that it is the setsockopt() RDS_GET_MR
> (2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable.
>
> Here is an example stack trace when the bug is hit:
...
> The fix is to check the existence of an underlying transport in
> __rds_rdma_map().
>
> Signed-off-by: Håkon Bugge <haakon.bugge@xxxxxxxxxx>
> Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>

Applied and queued up for -stable, thanks.