Skip to content

Commit

Permalink
net: rtnl: return early from rtnl_unregister_all when protocol isn't …
Browse files Browse the repository at this point in the history 
…registered

rtnl_unregister_all(PF_INET6) gets called from inet6_init in cases when
no handler has been registered for PF_INET6 yet, for example if
ip6_mr_init() fails. Abort and avoid a NULL pointer deref in that case.

Example of panic (triggered by faking a failure of
 register_pernet_subsys):

    general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI
    [...]
    RIP: 0010:rtnl_unregister_all+0x17e/0x2a0
    [...]
    Call Trace:
     ? rtnetlink_net_init+0x250/0x250
     ? sock_unregister+0x103/0x160
     ? kernel_getsockopt+0x200/0x200
     inet6_init+0x197/0x20d

Fixes: e2fddf5 ("[IPV6]: Make af_inet6 to check ip6_route_init return value.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@qsn @davem330
qsn authored and davem330 committed Aug 30, 2018
1 parent a03dc36 commit f707ef6
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions net/core/rtnetlink.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,10 @@ void rtnl_unregister_all(int protocol)

rtnl_lock();
tab = rtnl_msg_handlers[protocol];
if (!tab) {
rtnl_unlock();
return;
}
RCU_INIT_POINTER(rtnl_msg_handlers[protocol], NULL);
for (msgindex = 0; msgindex < RTM_NR_MSGTYPES; msgindex++) {
link = tab[msgindex];
Expand Down

0 comments on commit f707ef6

Please sign in to comment.