Patchwork ipvs: freeing uninitialized pointer on error

login
register
mail settings
Submitter Dan Carpenter
Date Jan. 25, 2013, 3:44 p.m.
Message ID <20130125154456.GB5908@elgon.mountain>
Download mbox | patch
Permalink /patch/215782/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Dan Carpenter - Jan. 25, 2013, 3:44 p.m.
If state != IP_VS_STATE_BACKUP then tinfo->buf is uninitialized.  If
kthread_run() fails then it means we free random memory resulting in an
oops.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Julian Anastasov - Jan. 25, 2013, 8:56 p.m.
Hello,

On Fri, 25 Jan 2013, Dan Carpenter wrote:

> If state != IP_VS_STATE_BACKUP then tinfo->buf is uninitialized.  If
> kthread_run() fails then it means we free random memory resulting in an
> oops.

	Good catch. Simon, please apply!

	Problem is in 3.5+ caused by commit f73181c828
(ipvs: add support for sync threads)

> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Acked-by: Julian Anastasov <ja@ssi.bg>

> diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
> index effa10c..44fd10c 100644
> --- a/net/netfilter/ipvs/ip_vs_sync.c
> +++ b/net/netfilter/ipvs/ip_vs_sync.c
> @@ -1795,6 +1795,8 @@ int start_sync_thread(struct net *net, int state, char *mcast_ifn, __u8 syncid)
>  					     GFP_KERNEL);
>  			if (!tinfo->buf)
>  				goto outtinfo;
> +		} else {
> +			tinfo->buf = NULL;
>  		}
>  		tinfo->id = id;

Regards

--
Julian Anastasov <ja@ssi.bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index effa10c..44fd10c 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -1795,6 +1795,8 @@  int start_sync_thread(struct net *net, int state, char *mcast_ifn, __u8 syncid)
 					     GFP_KERNEL);
 			if (!tinfo->buf)
 				goto outtinfo;
+		} else {
+			tinfo->buf = NULL;
 		}
 		tinfo->id = id;