| Message ID | 20190725092021.15855-1-baijiaju1990@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | David Miller |
| Headers | show |
| Series | net: tipc: Fix a possible null-pointer dereference in tipc_publ_purge() | expand |
On 7/25/19 5:20 PM, Jia-Ju Bai wrote: > In tipc_publ_purge(), there is an if statement on 215 to > check whether p is NULL: > if (p) > > When p is NULL, it is used on line 226: > kfree_rcu(p, rcu); > > Thus, a possible null-pointer dereference may occur. > > To fix this bug, p is checked before being used. > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > net/tipc/name_distr.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c > index 44abc8e9c990..241ed2274473 100644 > --- a/net/tipc/name_distr.c > +++ b/net/tipc/name_distr.c > @@ -223,7 +223,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) > publ->key); > } > > - kfree_rcu(p, rcu); > + if (p) No, I don't think so because kfree_rcu() will internally check if "p" pointer is NULL or not. > + kfree_rcu(p, rcu); > } > > /** >
From: Jia-Ju Bai <baijiaju1990@gmail.com> Date: Thu, 25 Jul 2019 17:20:21 +0800 > @@ -223,7 +223,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) > publ->key); > } > > - kfree_rcu(p, rcu); > + if (p) > + kfree_rcu(p, rcu); Please fix your automated tools if that is what found this, because as others have nodes kfree_rcu() can take a NULL pointer argument just fine. Thank you.
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c index 44abc8e9c990..241ed2274473 100644 --- a/net/tipc/name_distr.c +++ b/net/tipc/name_distr.c @@ -223,7 +223,8 @@ static void tipc_publ_purge(struct net *net, struct publication *publ, u32 addr) publ->key); } - kfree_rcu(p, rcu); + if (p) + kfree_rcu(p, rcu); } /**
In tipc_publ_purge(), there is an if statement on 215 to check whether p is NULL: if (p) When p is NULL, it is used on line 226: kfree_rcu(p, rcu); Thus, a possible null-pointer dereference may occur. To fix this bug, p is checked before being used. This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- net/tipc/name_distr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)