diff options
author | Xin Long <lucien.xin@gmail.com> | 2019-09-03 17:53:12 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-09-19 09:09:32 +0200 |
commit | 9a4598424e99feda9c6592230a0d020869f776f1 (patch) | |
tree | 91c575394299c99eeeddc67362cbcbea03271746 /net/tipc | |
parent | 67fe3b94a833779caf4504ececa7097fba9b2627 (diff) | |
download | linux-stable-9a4598424e99feda9c6592230a0d020869f776f1.tar.gz linux-stable-9a4598424e99feda9c6592230a0d020869f776f1.tar.bz2 linux-stable-9a4598424e99feda9c6592230a0d020869f776f1.zip |
tipc: add NULL pointer check before calling kfree_rcu
[ Upstream commit 42dec1dbe38239cf91cc1f4df7830c66276ced37 ]
Unlike kfree(p), kfree_rcu(p, rcu) won't do NULL pointer check. When
tipc_nametbl_remove_publ returns NULL, the panic below happens:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
RIP: 0010:__call_rcu+0x1d/0x290
Call Trace:
<IRQ>
tipc_publ_notify+0xa9/0x170 [tipc]
tipc_node_write_unlock+0x8d/0x100 [tipc]
tipc_node_link_down+0xae/0x1d0 [tipc]
tipc_node_check_dest+0x3ea/0x8f0 [tipc]
? tipc_disc_rcv+0x2c7/0x430 [tipc]
tipc_disc_rcv+0x2c7/0x430 [tipc]
? tipc_rcv+0x6bb/0xf20 [tipc]
tipc_rcv+0x6bb/0xf20 [tipc]
? ip_route_input_slow+0x9cf/0xb10
tipc_udp_recv+0x195/0x1e0 [tipc]
? tipc_udp_is_known_peer+0x80/0x80 [tipc]
udp_queue_rcv_skb+0x180/0x460
udp_unicast_rcv_skb.isra.56+0x75/0x90
__udp4_lib_rcv+0x4ce/0xb90
ip_local_deliver_finish+0x11c/0x210
ip_local_deliver+0x6b/0xe0
? ip_rcv_finish+0xa9/0x410
ip_rcv+0x273/0x362
Fixes: 97ede29e80ee ("tipc: convert name table read-write lock to RCU")
Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/tipc')
-rw-r--r-- | net/tipc/name_distr.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c index 3cfeb9df64b0..e0a3dd424d8c 100644 --- a/net/tipc/name_distr.c +++ b/net/tipc/name_distr.c @@ -221,7 +221,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) publ->key); } - kfree_rcu(p, rcu); + if (p) + kfree_rcu(p, rcu); } /** |