Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2976429imu;
        Sun, 9 Dec 2018 14:06:43 -0800 (PST)
X-Google-Smtp-Source: AFSGD/VqVLtK/2U4VxruZpHqm8Uye5LZ7Wi45k2b6TlW0PH3+So2bGWO0mo+rEPJAT4q9tdcWZQY
X-Received: by 2002:a65:6215:: with SMTP id d21mr4232506pgv.289.1544393203254;
        Sun, 09 Dec 2018 14:06:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544393203; cv=none;
        d=google.com; s=arc-20160816;
        b=wg3idDvsXTzqMgbtdNaQ5IV8kpGBnfoijxVKTplSX86WoOdU6vAT8vlPYURMMuGEP9
         wjmm7jcFcADol3fYTfRj8omFe42v+ZA+TASsXNaJ2ykfzeSYiodt2sdwV9IW96tjM6yi
         hPm26yKyzGEbbB/CM1Blp5AerExRQwbyyZ2lahjQp4Yd/EngK3KvNWHdL0ZmhnC+sxtm
         CHfCDRjci18UWBImUDXt+629KPpFN6a//NaRjcVb7ZFbLZnuHRHS5vOKF5xYJ7tcXrvQ
         aITRaqUnE9P1zFHTXGMMDI32i2ReXh0Q8tAzouB2bza88X6rvumu99+tH3O09AaEqhEM
         URHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=7YVRK16PNlowwb4PaybCF6nwQWGSsIoEScd5HL8Mf0I=;
        b=w+4GwcnhKVNaFk4x7qNIw98TdaE/+HsAiTDAPytBVbcUjmdznsWOWfq+SnVL83tHOA
         LUfuTAR5AiQ5yvaRCiWOvSH44ADzDEwy9HzD87zvqQaFnabVDGm0uud778LzwEHM2Y8z
         CGvWNAyZqbmutKOOBCjgTIS9L3wtqvsO/8pn5UrnIWOgPO+azSrjq/lwmykb2aws0wgs
         RyISK4wJEfT332fB9V8U0B+BRvnR/4IfvPY1BwgAcRELQWEDAKz5tLdykm81yaswp9Up
         57DzjgJ41hQIt6Ggk0SCJmX6vUhaEe4Xbe30pUzF7YVRKYqGYQWXVpX0AHeC/UrsU3zk
         gdbg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 3si8629825plv.258.2018.12.09.14.06.28;
        Sun, 09 Dec 2018 14:06:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727582AbeLIWFJ (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Sun, 9 Dec 2018 17:05:09 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:36880 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727372AbeLIWFE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 9 Dec 2018 17:05:04 -0500
Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW73F-0002ia-Lk; Sun, 09 Dec 2018 21:55:49 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW72d-0003NO-3K; Sun, 09 Dec 2018 21:55:11 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Tomas Bortoli" <tomasbortoli@gmail.com>,
        "Latchesar Ionkov" <lucho@ionkov.net>,
        "Ron Minnich" <rminnich@sandia.gov>,
        syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com,
        "Jun Piao" <piaojun@huawei.com>,
        "Dominique Martinet" <dominique.martinet@cea.fr>,
        "Eric Van Hensbergen" <ericvh@gmail.com>,
        "Yiwen Jiang" <jiangyiwen@huawei.com>
Date:   Sun, 09 Dec 2018 21:50:33 +0000
Message-ID: <lsq.1544392233.892356241@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 127/328] net/9p/client.c: version pointer uninitialized
In-Reply-To: <lsq.1544392232.713909046@decadent.org.uk>
X-SA-Exim-Connect-IP: 81.174.156.145
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.62-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit 7913690dcc5e18e235769fd87c34143072f5dbea upstream.

The p9_client_version() does not initialize the version pointer. If the
call to p9pdu_readf() returns an error and version has not been allocated
in p9pdu_readf(), then the program will jump to the "error" label and will
try to free the version pointer. If version is not initialized, free()
will be called with uninitialized, garbage data and will provoke a crash.

Link: http://lkml.kernel.org/r/20180709222943.19503-1-tomasbortoli@gmail.com
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+65c6b72f284a39d416b4@syzkaller.appspotmail.com
Reviewed-by: Jun Piao <piaojun@huawei.com>
Reviewed-by: Yiwen Jiang <jiangyiwen@huawei.com>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/9p/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -938,7 +938,7 @@ static int p9_client_version(struct p9_c
 {
 	int err = 0;
 	struct p9_req_t *req;
-	char *version;
+	char *version = NULL;
 	int msize;
 
 	p9_debug(P9_DEBUG_9P, ">>> TVERSION msize %d protocol %d\n",