mirror of
https://github.com/torvalds/linux.git
synced 2026-05-30 10:04:04 +02:00
f0308fb070
If an ICMP packet comes in on the UDP socket backing an AF_RXRPC socket as
the UDP socket is being shut down, rxrpc_error_report() may get called to
deal with it after sk_user_data on the UDP socket has been cleared, leading
to a NULL pointer access when this local endpoint record gets accessed.
Fix this by just returning immediately if sk_user_data was NULL.
The oops looks like the following:
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
...
RIP: 0010:rxrpc_error_report+0x1bd/0x6a9
...
Call Trace:
? sock_queue_err_skb+0xbd/0xde
? __udp4_lib_err+0x313/0x34d
__udp4_lib_err+0x313/0x34d
icmp_unreach+0x1ee/0x207
icmp_rcv+0x25b/0x28f
ip_protocol_deliver_rcu+0x95/0x10e
ip_local_deliver+0xe9/0x148
__netif_receive_skb_one_core+0x52/0x6e
process_backlog+0xdc/0x177
net_rx_action+0xf9/0x270
__do_softirq+0x1b6/0x39a
? smpboot_register_percpu_thread+0xce/0xce
run_ksoftirqd+0x1d/0x42
smpboot_thread_fn+0x19e/0x1b3
kthread+0xf1/0xf6
? kthread_delayed_work_timer_fn+0x83/0x83
ret_from_fork+0x24/0x30
Fixes:
|
||
|---|---|---|
| .. | ||
| af_rxrpc.c | ||
| ar-internal.h | ||
| call_accept.c | ||
| call_event.c | ||
| call_object.c | ||
| conn_client.c | ||
| conn_event.c | ||
| conn_object.c | ||
| conn_service.c | ||
| input.c | ||
| insecure.c | ||
| Kconfig | ||
| key.c | ||
| local_event.c | ||
| local_object.c | ||
| Makefile | ||
| misc.c | ||
| net_ns.c | ||
| output.c | ||
| peer_event.c | ||
| peer_object.c | ||
| proc.c | ||
| protocol.h | ||
| recvmsg.c | ||
| rxkad.c | ||
| security.c | ||
| sendmsg.c | ||
| skbuff.c | ||
| sysctl.c | ||
| utils.c | ||