diff options
| author | Xin Long <lucien.xin@gmail.com> | 2022-11-19 00:45:00 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2022-11-22 07:45:24 +0300 |
| commit | 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 (patch) | |
| tree | a875c2cc918b43b357a670db87d82a971edbbecf /net/l3mdev | |
| parent | 1f0dd412e34e177621769866bef347f0b22364df (diff) | |
| download | linux-0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4.tar.xz | |
tipc: set con sock in tipc_conn_alloc
A crash was reported by Wei Chen:
BUG: kernel NULL pointer dereference, address: 0000000000000018
RIP: 0010:tipc_conn_close+0x12/0x100
Call Trace:
tipc_topsrv_exit_net+0x139/0x320
ops_exit_list.isra.9+0x49/0x80
cleanup_net+0x31a/0x540
process_one_work+0x3fa/0x9f0
worker_thread+0x42/0x5c0
It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(),
con is allocated in conn_idr then its sock is set:
con = tipc_conn_alloc();
... <----[1]
con->sock = newsock;
If tipc_conn_close() is called in anytime of [1], the null-pointer-def
is triggered by con->sock->sk due to con->sock is not yet set.
This patch fixes it by moving the con->sock setting to tipc_conn_alloc()
under s->idr_lock. So that con->sock can never be NULL when getting the
con from s->conn_idr. It will be also safer to move con->server and flag
CF_CONNECTED setting under s->idr_lock, as they should all be set before
tipc_conn_alloc() is called.
Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/l3mdev')
0 files changed, 0 insertions, 0 deletions