From 9969f4229cb12c59b85a05173822dbd70f5e931e Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 1 Apr 2014 16:05:48 -0400
Subject: [PATCH] CVE-2014-2678 net: rds: deref of NULL dev in
 rds_iw_laddr_check (rhbz 1083274 1083280)

---
 kernel.spec                                   |  9 ++++++
 ...-a-NULL-device-in-rds_iw_laddr_check.patch | 31 +++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch

diff --git a/kernel.spec b/kernel.spec
index 1723dc530..5d7e0dc11 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -645,6 +645,9 @@ Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
 #CVE-2014-2580 rhbz 1080084 1080086
 Patch25052: net-xen-netback-disable-rogue-vif-in-kthread-context.patch
 
+#CVE-2014-2678 rhbz 1083274 1083280
+Patch25054: rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1295,6 +1298,9 @@ ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
 #CVE-2014-2580 rhbz 1080084 1080086
 ApplyPatch net-xen-netback-disable-rogue-vif-in-kthread-context.patch
 
+#CVE-2014-2678 rhbz 1083274 1083280
+ApplyPatch rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2075,6 +2081,9 @@ fi
 #                                    ||     ||
 %changelog
 * Tue Apr 01 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.15.0-0.rc0.git2.1
+- CVE-2014-2678 net: rds: deref of NULL dev in rds_iw_laddr_check (rhbz 1083274 1083280)
+
+* Tue Apr 01 2014 Josh Boyer <jwboyer@fedoraproject.org> 
 - Linux v3.14-751-g683b6c6f82a6
 
 * Tue Apr 01 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.15.0-0.rc0.git1.1
diff --git a/rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch b/rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
new file mode 100644
index 000000000..2caf0666e
--- /dev/null
+++ b/rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
@@ -0,0 +1,31 @@
+Bugzilla: 1083280
+Upstream-status: Queued for 3.15
+
+From bf39b4247b8799935ea91d90db250ab608a58e50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Sat, 29 Mar 2014 20:39:35 -0400
+Subject: rds: prevent dereference of a NULL device in rds_iw_laddr_check
+
+Binding might result in a NULL device which is later dereferenced
+without checking.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+diff --git a/net/rds/iw.c b/net/rds/iw.c
+index 7826d46..5899356 100644
+--- a/net/rds/iw.c
++++ b/net/rds/iw.c
+@@ -239,7 +239,8 @@ static int rds_iw_laddr_check(__be32 addr)
+ 	ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin);
+ 	/* due to this, we will claim to support IB devices unless we
+ 	   check node_type. */
+-	if (ret || cm_id->device->node_type != RDMA_NODE_RNIC)
++	if (ret || !cm_id->device ||
++	    cm_id->device->node_type != RDMA_NODE_RNIC)
+ 		ret = -EADDRNOTAVAIL;
+ 
+ 	rdsdebug("addr %pI4 ret %d node type %d\n",
+-- 
+cgit v0.10.1
+