summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2015-11-02 16:50:07 +0100
committerDavid S. Miller <davem@davemloft.net>2015-11-03 04:46:09 +0100
commit8fa677d2706d325d71dab91bf6e6512c05214e37 (patch)
tree6c16f02d7e748cd313e91424e34f181d9c7bdf21
parentipv6: fix crash on ICMPv6 redirects with prohibited/blackholed source (diff)
downloadlinux-8fa677d2706d325d71dab91bf6e6512c05214e37.tar.xz
linux-8fa677d2706d325d71dab91bf6e6512c05214e37.zip
net: avoid NULL deref in inet_ctl_sock_destroy()
Under low memory conditions, tcp_sk_init() and icmp_sk_init() can both iterate on all possible cpus and call inet_ctl_sock_destroy(), with eventual NULL pointer. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/inet_common.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/inet_common.h b/include/net/inet_common.h
index 279f83591971..109e3ee9108c 100644
--- a/include/net/inet_common.h
+++ b/include/net/inet_common.h
@@ -41,7 +41,8 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len,
static inline void inet_ctl_sock_destroy(struct sock *sk)
{
- sock_release(sk->sk_socket);
+ if (sk)
+ sock_release(sk->sk_socket);
}
#endif