From c258bf3ad07985eaf4e07d7667b7882cb9a2661b Mon Sep 17 00:00:00 2001
Message-Id: <c258bf3ad07985eaf4e07d7667b7882cb9a2661b.1519732545.git.dcaratti@redhat.com>
From: Davide Caratti <dcaratti@redhat.com>
Date: Tue, 27 Feb 2018 12:45:11 +0100
Subject: [PATCH net] af_smc: fix NULL pointer dereference on
 sock_create_kern() error path

when sock_create_kern(..., a) returns an error, 'a' might not be a valid
pointer, so it shouldn't be dereferenced to read a->sk->sk_sndbuf and
and a->sk->sk_rcvbuf.

Fixes: cd6851f30386 smc: remote memory buffers (RMBs)
Reported-by: syzbot+3a0748c8f2f210c0ef9b@syzkaller.appspotmail.com
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
 net/smc/af_smc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 38ae22b65e77..27e7d0b59da9 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1405,8 +1405,10 @@ static int smc_create(struct net *net, struct socket *sock, int protocol,
 	smc->use_fallback = false; /* assume rdma capability first */
 	rc = sock_create_kern(net, PF_INET, SOCK_STREAM,
 			      IPPROTO_TCP, &smc->clcsock);
-	if (rc)
+	if (rc) {
 		sk_common_release(sk);
+		goto out;
+	}
 	smc->sk.sk_sndbuf = max(smc->clcsock->sk->sk_sndbuf, SMC_BUF_MIN_SIZE);
 	smc->sk.sk_rcvbuf = max(smc->clcsock->sk->sk_rcvbuf, SMC_BUF_MIN_SIZE);
 
-- 
2.14.3