[PATCH] rds: fix crash in rds_info_getsockopt()

From: John Hubbard
Date: Wed May 20 2020 - 15:41:52 EST

Next message: Paul E. McKenney: "Re: [patch V6 12/37] x86/entry: Provide idtentry_entry/exit_cond_rcu()"
Previous message: Thomas Gleixner: "Re: io_uring vs CPU hotplug, was Re: [PATCH 5/9] blk-mq: don't set data->ctx and data->hctx in blk_mq_alloc_request_hctx"
In reply to: syzbot: "general protection fault in unpin_user_pages"
Next in thread: santosh . shilimkar: "Re: [PATCH] rds: fix crash in rds_info_getsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The conversion to pin_user_pages() had a bug: it overlooked
the case of allocation of pages failing. Fix that by restoring
an equivalent check.

Reported-by: syzbot+118ac0af4ac7f785a45b@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: dbfe7d74376e ("rds: convert get_user_pages() --> pin_user_pages()")

Cc: David S. Miller <davem@xxxxxxxxxxxxx>
Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
Cc: netdev@xxxxxxxxxxxxxxx
Cc: linux-rdma@xxxxxxxxxxxxxxx
Cc: rds-devel@xxxxxxxxxxxxxx
Signed-off-by: John Hubbard <jhubbard@xxxxxxxxxx>
---
net/rds/info.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rds/info.c b/net/rds/info.c
index e1d63563e81c..b6b46a8214a0 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -234,7 +234,8 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
ret = -EFAULT;

out:
- unpin_user_pages(pages, nr_pages);
+ if (pages)
+ unpin_user_pages(pages, nr_pages);
kfree(pages);

return ret;
--
2.26.2

Next message: Paul E. McKenney: "Re: [patch V6 12/37] x86/entry: Provide idtentry_entry/exit_cond_rcu()"
Previous message: Thomas Gleixner: "Re: io_uring vs CPU hotplug, was Re: [PATCH 5/9] blk-mq: don't set data->ctx and data->hctx in blk_mq_alloc_request_hctx"
In reply to: syzbot: "general protection fault in unpin_user_pages"
Next in thread: santosh . shilimkar: "Re: [PATCH] rds: fix crash in rds_info_getsockopt()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]