From patchwork Thu Aug 28 02:02:41 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ying Xue X-Patchwork-Id: 383635 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id DAE691400B2 for ; Thu, 28 Aug 2014 12:03:26 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935834AbaH1CDW (ORCPT ); Wed, 27 Aug 2014 22:03:22 -0400 Received: from mail.windriver.com ([147.11.1.11]:33088 "EHLO mail.windriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932352AbaH1CDV (ORCPT ); Wed, 27 Aug 2014 22:03:21 -0400 Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail.windriver.com (8.14.9/8.14.5) with ESMTP id s7S237Tb009215 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 27 Aug 2014 19:03:08 -0700 (PDT) Received: from ying.corp.ad.wrs.com (128.224.163.180) by ALA-HCA.corp.ad.wrs.com (147.11.189.40) with Microsoft SMTP Server id 14.3.174.1; Wed, 27 Aug 2014 19:02:48 -0700 From: Ying Xue To: CC: , , , Subject: [PATCH net-next] tipc: fix a potential oops Date: Thu, 28 Aug 2014 10:02:41 +0800 Message-ID: <1409191361-28179-1-git-send-email-ying.xue@windriver.com> X-Mailer: git-send-email 1.7.9.5 MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Commit 6c9808ce09f7 ("tipc: remove port_lock") accidentally involves a potential bug: when tipc socket instance(tsk) is not got with given reference number in tipc_sk_get(), tsk is set to NULL. Subsequently we jump to exit label where to decrease socket reference counter pointed by tsk pointer in tipc_sk_put(). However, As now tsk is NULL, oops may happen because of touching a NULL pointer. Signed-off-by: Ying Xue Acked-by: Erik Hugne Acked-by: Jon Maloy --- Hi David, please notice that I just sumibt the patch to net-next as the commit 6c9808ce09f7 is not merged into net tree so far. net/tipc/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index d416e83..75275c5 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -2118,9 +2118,9 @@ static void tipc_sk_timeout(unsigned long ref) tsk = tipc_sk_get(ref); if (!tsk) - goto exit; - sk = &tsk->sk; + return; + sk = &tsk->sk; bh_lock_sock(sk); if (!tsk->connected) { bh_unlock_sock(sk);