On 9/24/19 11:27 PM, Ka-Cheong Poon wrote:
In rds_bind(), laddr_check is called without checking if it is NULL or not. And rs_transport should be reset if rds_add_bound() fails.Fixes: c5c1a030a7db ("net/rds: Check laddr_check before calling it")
Oops, wrong Subject. Will re-submit. Sorry about that.
Reported-by: syzbot+fae39afd2101a17ec...@syzkaller.appspotmail.com Signed-off-by: Ka-Cheong Poon <ka-cheong.p...@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilim...@oracle.com> --- net/rds/bind.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/rds/bind.c b/net/rds/bind.c index 20c156a..5b5fb4c 100644 --- a/net/rds/bind.c +++ b/net/rds/bind.c @@ -244,7 +244,8 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) */ if (rs->rs_transport) { trans = rs->rs_transport; - if (trans->laddr_check(sock_net(sock->sk), + if (!trans->laddr_check || + trans->laddr_check(sock_net(sock->sk), binding_addr, scope_id) != 0) { ret = -ENOPROTOOPT; goto out; @@ -263,6 +264,8 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)sock_set_flag(sk, SOCK_RCU_FREE);ret = rds_add_bound(rs, binding_addr, &port, scope_id); + if (ret) + rs->rs_transport = NULL;out:release_sock(sk);
-- K. Poon ka-cheong.p...@oracle.com
