diff options
| author | Qinglang Miao <miaoqinglang@huawei.com> | 2021-01-05 08:57:54 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2021-01-06 03:50:09 +0300 |
| commit | 4beb17e553b49c3dd74505c9f361e756aaae653e (patch) | |
| tree | 9914a730f6d332f64b770a3285d03303b54857e3 /net/qrtr/qrtr.c | |
| parent | 7a68d725e4ea384977445e0bcaed3d7de83ab5b3 (diff) | |
| download | linux-4beb17e553b49c3dd74505c9f361e756aaae653e.tar.xz | |
net: qrtr: fix null-ptr-deref in qrtr_ns_remove
A null-ptr-deref bug is reported by Hulk Robot like this:
--------------
KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
Call Trace:
qrtr_ns_remove+0x22/0x40 [ns]
qrtr_proto_fini+0xa/0x31 [qrtr]
__x64_sys_delete_module+0x337/0x4e0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
--------------
When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would
be called later on would raise a null-ptr-deref because qrtr_ns.workqueue
has been destroyed.
Fix it by making qrtr_ns_init have a return value and adding a check in
qrtr_proto_init.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/qrtr/qrtr.c')
| -rw-r--r-- | net/qrtr/qrtr.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index f4ab3ca6d73b..b34358282f37 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -1287,13 +1287,19 @@ static int __init qrtr_proto_init(void) return rc; rc = sock_register(&qrtr_family); - if (rc) { - proto_unregister(&qrtr_proto); - return rc; - } + if (rc) + goto err_proto; - qrtr_ns_init(); + rc = qrtr_ns_init(); + if (rc) + goto err_sock; + return 0; + +err_sock: + sock_unregister(qrtr_family.family); +err_proto: + proto_unregister(&qrtr_proto); return rc; } postcore_initcall(qrtr_proto_init); |