ipvs: freeing uninitialized pointer on error

Message ID	20130125154456.GB5908@elgon.mountain
State	Not Applicable, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Fri, 25 Jan 2013 18:44:57 +0300 From: Dan Carpenter <dan.carpenter@oracle.com> To: Wensong Zhang <wensong@linux-vs.org> Cc: Simon Horman <horms@verge.net.au>, Julian Anastasov <ja@ssi.bg>, Pablo Neira Ayuso <pablo@netfilter.org>, Patrick McHardy <kaber@trash.net>, "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org, coreteam@netfilter.org, kernel-janitors@vger.kernel.org Subject: [patch] ipvs: freeing uninitialized pointer on error Message-ID: <20130125154456.GB5908@elgon.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20130125154456.GB5908@elgon.mountain

State

Not Applicable, archived

Delegated to:

David Miller

Headers

Date: Fri, 25 Jan 2013 18:44:57 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Wensong Zhang <wensong@linux-vs.org>
Cc: Simon Horman <horms@verge.net.au>, Julian Anastasov <ja@ssi.bg>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Patrick McHardy <kaber@trash.net>,
	"David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
	lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org,
	netfilter@vger.kernel.org, coreteam@netfilter.org,
	kernel-janitors@vger.kernel.org
Subject: [patch] ipvs: freeing uninitialized pointer on error
Message-ID: <20130125154456.GB5908@elgon.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Dan Carpenter Jan. 25, 2013, 3:44 p.m. UTC

If state != IP_VS_STATE_BACKUP then tinfo->buf is uninitialized.  If
kthread_run() fails then it means we free random memory resulting in an
oops.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Julian Anastasov Jan. 25, 2013, 8:56 p.m. UTC | #1

Hello,

On Fri, 25 Jan 2013, Dan Carpenter wrote:

> If state != IP_VS_STATE_BACKUP then tinfo->buf is uninitialized.  If
> kthread_run() fails then it means we free random memory resulting in an
> oops.

	Good catch. Simon, please apply!

	Problem is in 3.5+ caused by commit f73181c828
(ipvs: add support for sync threads)

> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Acked-by: Julian Anastasov <ja@ssi.bg>

> diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
> index effa10c..44fd10c 100644
> --- a/net/netfilter/ipvs/ip_vs_sync.c
> +++ b/net/netfilter/ipvs/ip_vs_sync.c
> @@ -1795,6 +1795,8 @@ int start_sync_thread(struct net *net, int state, char *mcast_ifn, __u8 syncid)
>  					     GFP_KERNEL);
>  			if (!tinfo->buf)
>  				goto outtinfo;
> +		} else {
> +			tinfo->buf = NULL;
>  		}
>  		tinfo->id = id;

Regards

--
Julian Anastasov <ja@ssi.bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index effa10c..44fd10c 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -1795,6 +1795,8 @@  int start_sync_thread(struct net *net, int state, char *mcast_ifn, __u8 syncid)
 					     GFP_KERNEL);
 			if (!tinfo->buf)
 				goto outtinfo;
+		} else {
+			tinfo->buf = NULL;
 		}
 		tinfo->id = id;

ipvs: freeing uninitialized pointer on error

Commit Message

Comments

Patch