Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp667981imm;
        Fri, 27 Jul 2018 04:07:23 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpea+FYjTn/Otorb05iwps2Q0kvNghPzpzU3QdjqhbKpoeqh55y5LT8AoWhCnuaE7e96fgOe
X-Received: by 2002:a17:902:9893:: with SMTP id s19-v6mr5607885plp.130.1532689643548;
        Fri, 27 Jul 2018 04:07:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532689643; cv=none;
        d=google.com; s=arc-20160816;
        b=SLv/v3nzpj0pJbhAJI3S+Ikl+jXFpP3bInYcW8GHckVAQZntO6wiL/Q7hf9ak+Hms+
         59filTsNUdDH1DlBupMEsua6rzlP80Ua/bP2rCspzbbFZyfd7K/g8qHq2t5ogtk5y34r
         pDqaClviIjzQdc4rasN+MkPoCjYqcqRIZpE7ijf/EgmbNYwNgOp33rOT+ytWPeCF5xfB
         RSC0Zpo0IwntoJ1IdvKT0954i01CqfSV4VsOa3XzicM1rechxtfXA1x4i9XkNKk7OnGa
         UbwEu4T8fFiBjZr1AGhGLPCttg0wPwyhmQ7rsFdRxsuH0e6sAO67yXqNXTJfCboFvw8P
         cG7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=2eCDJqCQOR5gJhwrnKSgSE2xyMt1RtU4mVw1jc49DtY=;
        b=qQLVdqww/fZYoXx4R/dyFPDrTGj62b8HPKpvPgJ2KGLIuY2ODxRi5B0FDBUTqIyzn6
         xkXWeRZ44c54CmyPF5hHMQEUa8bH7NEx0DpEHi7kYHLxJ/C5boou2RndUmAhSchHNWg5
         JaJrYLc3h6mi0JoBaQBGqesqUB/kRbF2k0zphWWjw4XQHHAMSZOTHw3aN4ZmCSr50V83
         z13BFEFU0bdU8qO16rxRc1rRGqqAf97rHGsmf+YXETUxMeOpSfas7Mco81wXS4Anccru
         eFf2aUiE/fYjSIxoVRgI+08LSJ1ZZPDA8AO1N0KPQC44dW+dGGEF5yB/iqG8TSf7psA2
         GUDw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=De9+5RYF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g75-v6si4218082pfb.37.2018.07.27.04.07.09;
        Fri, 27 Jul 2018 04:07:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=De9+5RYF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732043AbeG0M1d (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Fri, 27 Jul 2018 08:27:33 -0400
Received: from mail-lj1-f195.google.com ([209.85.208.195]:44097 "EHLO
        mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730753AbeG0M1d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Jul 2018 08:27:33 -0400
Received: by mail-lj1-f195.google.com with SMTP id q127-v6so4082096ljq.11;
        Fri, 27 Jul 2018 04:06:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=2eCDJqCQOR5gJhwrnKSgSE2xyMt1RtU4mVw1jc49DtY=;
        b=De9+5RYFkEKrgTdSJtIPY2K7AsY0faRjBt1jyqFm6s8g1YM4QQUEqJ2kURuCIhopoj
         bE7t7ndxcXjsvrwG0myxXF7rzcXkdZNDvlaE4mhe6GQIXZUUGyC2Y8C4msmsluRuS4Jx
         LteQaVxzGJOd7CihD9NOlov7d1OzOKLkoa6CqQ5spAY7hygsrXZFEjkoXtI/HZFPyghe
         yq+Tcp5zu2fhbHC8AN5bPa6MsZtc1bDYdByLADdMlwugPizh3qWEF0jqtW2HDhpooxYg
         K3YzXikjUuZKsk4tNI684Szgn0XWA3ENwl0+1cwpCEAJCPxwYDPhZM4wl46RpnssSXGF
         5Wyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=2eCDJqCQOR5gJhwrnKSgSE2xyMt1RtU4mVw1jc49DtY=;
        b=b8+MRintATTUFqy3MH61tiMpxyvtcnixtA5KIBl8PLB5MY8rqjA06wDO1Uh6E0eYD+
         vlkrBg41crtkNFRuPs2TlqgJq64Co6b0y+qu/nrhM+xxSXPXGK/PQP4JTMjFRig5pHt5
         CoMWtf2dIp/YiiFCiVkoVjf000woOjXgdrHh4lre4ND+CV/QeyrdZc7pU/hht5lgwAuz
         dOd4YhBEEvrL9pJ39ecw2hNTplTjoUQMF/TSAE4ZMrSUhqyXI8DrU71/2ZJvkziirkzr
         ZAAeECwOkZf1TYayXGUq4klwiF5g7L9n20R3q4efqwspzaYe5EfjYDUsC0XTr7vtAdUv
         PHqw==
X-Gm-Message-State: AOUpUlGoZeBTHHcfrAkvgBrMKijLIJsW3ZPPugF2badmCW7SK7DGMRq1
        M9GNhhqi0t1if6iQ07oVxIU=
X-Received: by 2002:a2e:1517:: with SMTP id s23-v6mr4813145ljd.73.1532689566182;
        Fri, 27 Jul 2018 04:06:06 -0700 (PDT)
Received: from debian-tom.lan ([2001:2012:22e:1b00:f2e2:9015:9262:3fde])
        by smtp.gmail.com with ESMTPSA id t66-v6sm616475lje.95.2018.07.27.04.06.04
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 27 Jul 2018 04:06:05 -0700 (PDT)
From:   Tomas Bortoli <tomasbortoli@gmail.com>
To:     ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net
Cc:     asmadeus@codewreck.org, davem@davemloft.net,
        v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, syzkaller@googlegroups.com,
        Tomas Bortoli <tomasbortoli@gmail.com>
Subject: [PATCH] 9p: fix multiple NULL-pointer-dereferences
Date:   Fri, 27 Jul 2018 13:05:58 +0200
Message-Id: <20180727110558.5479-1-tomasbortoli@gmail.com>
X-Mailer: git-send-email 2.11.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Added checks to prevent GPFs from raising.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+1a262da37d3bead15c39@syzkaller.appspotmail.com
---
 net/9p/trans_fd.c     | 5 ++++-
 net/9p/trans_rdma.c   | 3 +++
 net/9p/trans_virtio.c | 3 +++
 net/9p/trans_xen.c    | 3 +++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 964260265b13..e2ef3c782c53 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -945,7 +945,7 @@ p9_fd_create_tcp(struct p9_client *client, const char *addr, char *args)
 	if (err < 0)
 		return err;
 
-	if (valid_ipaddr4(addr) < 0)
+	if (addr == NULL || valid_ipaddr4(addr) < 0)
 		return -EINVAL;
 
 	csocket = NULL;
@@ -995,6 +995,9 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args)
 
 	csocket = NULL;
 
+	if (addr == NULL)
+		return -EINVAL;
+
 	if (strlen(addr) >= UNIX_PATH_MAX) {
 		pr_err("%s (%d): address too long: %s\n",
 		       __func__, task_pid_nr(current), addr);
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 2649b2ebf961..2ab4574183c9 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -645,6 +645,9 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args)
 	struct rdma_conn_param conn_param;
 	struct ib_qp_init_attr qp_attr;
 
+	if (addr == NULL)
+		return -EINVAL;
+
 	/* Parse the transport specific mount options */
 	err = parse_opts(args, &opts);
 	if (err < 0)
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 06dcd3cc6a29..8ca356eb66bb 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -654,6 +654,9 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args)
 	int ret = -ENOENT;
 	int found = 0;
 
+	if (devname == NULL)
+		return -EINVAL;
+
 	mutex_lock(&virtio_9p_lock);
 	list_for_each_entry(chan, &virtio_chan_list, chan_list) {
 		if (!strncmp(devname, chan->tag, chan->tag_len) &&
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 2e2b8bca54f3..c2d54ac76bfd 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -94,6 +94,9 @@ static int p9_xen_create(struct p9_client *client, const char *addr, char *args)
 {
 	struct xen_9pfs_front_priv *priv;
 
+	if (addr == NULL)
+		return -EINVAL;
+
 	read_lock(&xen_9pfs_lock);
 	list_for_each_entry(priv, &xen_9pfs_devs, list) {
 		if (!strcmp(priv->tag, addr)) {
-- 
2.11.0