[rds-devel] [PATCH net] rds: Fix NULL pointer dereference in __rds_rdma_map
David Miller
davem at davemloft.net
Wed Dec 6 12:45:03 PST 2017
From: Håkon Bugge <Haakon.Bugge at oracle.com>
Date: Wed, 6 Dec 2017 17:18:28 +0100
> This is a fix for syzkaller719569, where memory registration was
> attempted without any underlying transport being loaded.
>
> Analysis of the case reveals that it is the setsockopt() RDS_GET_MR
> (2) and RDS_GET_MR_FOR_DEST (7) that are vulnerable.
>
> Here is an example stack trace when the bug is hit:
...
> The fix is to check the existence of an underlying transport in
> __rds_rdma_map().
>
> Signed-off-by: Håkon Bugge <haakon.bugge at oracle.com>
> Reported-by: syzbot <syzkaller at googlegroups.com>
Applied and queued up for -stable, thanks.
More information about the rds-devel
mailing list