Revision - 34f5b00 - atm: deal with setting entry before mkip was called

Revision 34f5b0066435ffb793049b84fafd29fa195bcf90 authored by Sasha Levin on 16 September 2015, 19:30:21 UTC, committed by David S. Miller on 18 September 2015, 05:13:32 UTC

atm: deal with setting entry before mkip was called

If we didn't call ATMARP_MKIP before ATMARP_ENCAP the VCC descriptor is
non-existant and we'll end up dereferencing a NULL ptr:

[1033173.491930] kasan: GPF could be caused by NULL-ptr deref or user memory accessirq event stamp: 123386
[1033173.493678] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[1033173.493689] Modules linked in:
[1033173.493697] CPU: 9 PID: 23815 Comm: trinity-c64 Not tainted 4.2.0-next-20150911-sasha-00043-g353d875-dirty #2545
[1033173.493706] task: ffff8800630c4000 ti: ffff880063110000 task.ti: ffff880063110000
[1033173.493823] RIP: clip_ioctl (net/atm/clip.c:320 net/atm/clip.c:689)
[1033173.493826] RSP: 0018:ffff880063117a88  EFLAGS: 00010203
[1033173.493828] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000000c
[1033173.493830] RDX: 0000000000000002 RSI: ffffffffb3f10720 RDI: 0000000000000014
[1033173.493832] RBP: ffff880063117b80 R08: ffff88047574d9a4 R09: 0000000000000000
[1033173.493834] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000c622f53
[1033173.493836] R13: ffff8800cb905500 R14: ffff8808d6da2000 R15: 00000000fffffdfd
[1033173.493840] FS:  00007fa56b92d700(0000) GS:ffff880478000000(0000) knlGS:0000000000000000
[1033173.493843] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[1033173.493845] CR2: 0000000000000000 CR3: 00000000630e8000 CR4: 00000000000006a0
[1033173.493855] Stack:
[1033173.493862]  ffffffffb0b60444 000000000000eaea 0000000041b58ab3 ffffffffb3c3ce32
[1033173.493867]  ffffffffb0b6f3e0 ffffffffb0b60444 ffffffffb5ea2e50 1ffff1000c622f5e
[1033173.493873]  ffff8800630c4cd8 00000000000ee09a ffffffffb3ec4888 ffffffffb5ea2de8
[1033173.493874] Call Trace:
[1033173.494108] do_vcc_ioctl (net/atm/ioctl.c:170)
[1033173.494113] vcc_ioctl (net/atm/ioctl.c:189)
[1033173.494116] svc_ioctl (net/atm/svc.c:605)
[1033173.494200] sock_do_ioctl (net/socket.c:874)
[1033173.494204] sock_ioctl (net/socket.c:958)
[1033173.494244] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[1033173.494290] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[1033173.494295] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
[1033173.494362] Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 50 09 00 00 49 8b 9e 60 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 14 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 14 09 00
All code

========
   0:   fa                      cli
   1:   48 c1 ea 03             shr    $0x3,%rdx
   5:   80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)
   9:   0f 85 50 09 00 00       jne    0x95f
   f:   49 8b 9e 60 06 00 00    mov    0x660(%r14),%rbx
  16:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  1d:   fc ff df
  20:   48 8d 7b 14             lea    0x14(%rbx),%rdi
  24:   48 89 fa                mov    %rdi,%rdx
  27:   48 c1 ea 03             shr    $0x3,%rdx
  2b:*  0f b6 04 02             movzbl (%rdx,%rax,1),%eax               <-- trapping instruction
  2f:   48 89 fa                mov    %rdi,%rdx
  32:   83 e2 07                and    $0x7,%edx
  35:   38 d0                   cmp    %dl,%al
  37:   7f 08                   jg     0x41
  39:   84 c0                   test   %al,%al
  3b:   0f 85 14 09 00 00       jne    0x955

Code starting with the faulting instruction
===========================================
   0:   0f b6 04 02             movzbl (%rdx,%rax,1),%eax
   4:   48 89 fa                mov    %rdi,%rdx
   7:   83 e2 07                and    $0x7,%edx
   a:   38 d0                   cmp    %dl,%al
   c:   7f 08                   jg     0x16
   e:   84 c0                   test   %al,%al
  10:   0f 85 14 09 00 00       jne    0x92a
[1033173.494366] RIP clip_ioctl (net/atm/clip.c:320 net/atm/clip.c:689)
[1033173.494368]  RSP <ffff880063117a88>

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent 1d325d2

Files
Changes

Permalinks

File	Mode	Size
kasan
Kconfig	-rw-r--r--	22.7 KB
Kconfig.debug	-rw-r--r--	1.2 KB
Makefile	-rw-r--r--	2.7 KB
backing-dev.c	-rw-r--r--	25.5 KB
balloon_compaction.c	-rw-r--r--	6.8 KB
bootmem.c	-rw-r--r--	21.0 KB
cleancache.c	-rw-r--r--	9.9 KB
cma.c	-rw-r--r--	12.1 KB
cma.h	-rw-r--r--	515 bytes
cma_debug.c	-rw-r--r--	4.4 KB
compaction.c	-rw-r--r--	48.3 KB
debug-pagealloc.c	-rw-r--r--	2.6 KB
debug.c	-rw-r--r--	6.6 KB
dmapool.c	-rw-r--r--	13.9 KB
early_ioremap.c	-rw-r--r--	6.2 KB
fadvise.c	-rw-r--r--	3.7 KB
failslab.c	-rw-r--r--	1.3 KB
filemap.c	-rw-r--r--	70.8 KB
frontswap.c	-rw-r--r--	14.3 KB
gup.c	-rw-r--r--	39.8 KB
highmem.c	-rw-r--r--	11.8 KB
huge_memory.c	-rw-r--r--	81.3 KB
hugetlb.c	-rw-r--r--	114.4 KB
hugetlb_cgroup.c	-rw-r--r--	10.4 KB
hwpoison-inject.c	-rw-r--r--	3.2 KB
init-mm.c	-rw-r--r--	619 bytes
internal.h	-rw-r--r--	13.8 KB
interval_tree.c	-rw-r--r--	3.1 KB
kmemcheck.c	-rw-r--r--	2.9 KB
kmemleak-test.c	-rw-r--r--	3.2 KB
kmemleak.c	-rw-r--r--	54.5 KB
ksm.c	-rw-r--r--	63.3 KB
list_lru.c	-rw-r--r--	12.2 KB
maccess.c	-rw-r--r--	2.8 KB
madvise.c	-rw-r--r--	13.9 KB
memblock.c	-rw-r--r--	47.8 KB
memcontrol.c	-rw-r--r--	146.3 KB
memory-failure.c	-rw-r--r--	48.9 KB
memory.c	-rw-r--r--	104.9 KB
memory_hotplug.c	-rw-r--r--	51.9 KB
mempolicy.c	-rw-r--r--	70.6 KB
mempool.c	-rw-r--r--	13.9 KB
memtest.c	-rw-r--r--	2.7 KB
migrate.c	-rw-r--r--	47.0 KB
mincore.c	-rw-r--r--	6.6 KB
mlock.c	-rw-r--r--	19.6 KB
mm_init.c	-rw-r--r--	4.9 KB
mmap.c	-rw-r--r--	90.3 KB
mmu_context.c	-rw-r--r--	1.3 KB
mmu_notifier.c	-rw-r--r--	11.7 KB
mmzone.c	-rw-r--r--	2.3 KB
mprotect.c	-rw-r--r--	10.9 KB
mremap.c	-rw-r--r--	15.1 KB
msync.c	-rw-r--r--	2.6 KB
nobootmem.c	-rw-r--r--	11.1 KB
nommu.c	-rw-r--r--	51.9 KB
oom_kill.c	-rw-r--r--	20.0 KB
page-writeback.c	-rw-r--r--	83.1 KB
page_alloc.c	-rw-r--r--	193.8 KB
page_counter.c	-rw-r--r--	4.8 KB
page_ext.c	-rw-r--r--	10.4 KB
page_idle.c	-rw-r--r--	5.4 KB
page_io.c	-rw-r--r--	9.2 KB
page_isolation.c	-rw-r--r--	8.3 KB
page_owner.c	-rw-r--r--	7.1 KB
pagewalk.c	-rw-r--r--	7.5 KB
percpu-km.c	-rw-r--r--	2.8 KB
percpu-vm.c	-rw-r--r--	10.0 KB
percpu.c	-rw-r--r--	66.1 KB
pgtable-generic.c	-rw-r--r--	5.7 KB
process_vm_access.c	-rw-r--r--	9.8 KB
quicklist.c	-rw-r--r--	2.4 KB
readahead.c	-rw-r--r--	15.6 KB
rmap.c	-rw-r--r--	47.1 KB
shmem.c	-rw-r--r--	89.6 KB
slab.c	-rw-r--r--	107.3 KB
slab.h	-rw-r--r--	10.8 KB
slab_common.c	-rw-r--r--	28.3 KB
slob.c	-rw-r--r--	16.0 KB
slub.c	-rw-r--r--	129.8 KB
sparse-vmemmap.c	-rw-r--r--	6.0 KB
sparse.c	-rw-r--r--	20.9 KB
swap.c	-rw-r--r--	32.1 KB
swap_cgroup.c	-rw-r--r--	4.6 KB
swap_state.c	-rw-r--r--	13.1 KB
swapfile.c	-rw-r--r--	77.7 KB
truncate.c	-rw-r--r--	23.7 KB
userfaultfd.c	-rw-r--r--	7.2 KB
util.c	-rw-r--r--	10.9 KB
vmacache.c	-rw-r--r--	3.1 KB
vmalloc.c	-rw-r--r--	69.0 KB
vmpressure.c	-rw-r--r--	11.4 KB
vmscan.c	-rw-r--r--	110.9 KB
vmstat.c	-rw-r--r--	40.7 KB
workingset.c	-rw-r--r--	13.6 KB
zbud.c	-rw-r--r--	18.2 KB
zpool.c	-rw-r--r--	9.9 KB
zsmalloc.c	-rw-r--r--	47.6 KB
zswap.c	-rw-r--r--	32.0 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...