From: David Howells Date: Tue, 30 Aug 2016 08:49:28 +0000 (+0100) Subject: rxrpc: Fix a potential NULL-pointer deref in rxrpc_abort_calls X-Git-Tag: v4.9.8~1241^2~344^2~7 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ccbd3dbe85e1445231a7e0da2dada130cedce9d0;p=platform%2Fkernel%2Flinux-rpi3.git rxrpc: Fix a potential NULL-pointer deref in rxrpc_abort_calls The call pointer in a channel on a connection will be NULL if there's no active call on that channel. rxrpc_abort_calls() needs to check for this before trying to take the call's state_lock. Signed-off-by: David Howells --- diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c index 6296374..bb81801 100644 --- a/net/rxrpc/conn_event.c +++ b/net/rxrpc/conn_event.c @@ -149,19 +149,23 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn, int state, call = rcu_dereference_protected( conn->channels[i].call, lockdep_is_held(&conn->channel_lock)); - write_lock_bh(&call->state_lock); - if (call->state <= RXRPC_CALL_COMPLETE) { - call->state = state; - if (state == RXRPC_CALL_LOCALLY_ABORTED) { - call->local_abort = conn->local_abort; - set_bit(RXRPC_CALL_EV_CONN_ABORT, &call->events); - } else { - call->remote_abort = conn->remote_abort; - set_bit(RXRPC_CALL_EV_RCVD_ABORT, &call->events); + if (call) { + write_lock_bh(&call->state_lock); + if (call->state <= RXRPC_CALL_COMPLETE) { + call->state = state; + if (state == RXRPC_CALL_LOCALLY_ABORTED) { + call->local_abort = conn->local_abort; + set_bit(RXRPC_CALL_EV_CONN_ABORT, + &call->events); + } else { + call->remote_abort = conn->remote_abort; + set_bit(RXRPC_CALL_EV_RCVD_ABORT, + &call->events); + } + rxrpc_queue_call(call); } - rxrpc_queue_call(call); + write_unlock_bh(&call->state_lock); } - write_unlock_bh(&call->state_lock); } spin_unlock(&conn->channel_lock);