summaryrefslogtreecommitdiffstats
path: root/net/ipv4/devinet.c
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2019-06-17 16:02:27 +0200
committerDavid S. Miller <davem@davemloft.net>2019-06-18 01:27:42 +0200
commit40008e921133f95685ca4dfd7233b3df96af2bd6 (patch)
tree338373f2866142f36d2f67893f2bebae50f35ed2 /net/ipv4/devinet.c
parentnet: dsa: sja1105: fix ptp link error (diff)
downloadlinux-40008e921133f95685ca4dfd7233b3df96af2bd6.tar.xz
linux-40008e921133f95685ca4dfd7233b3df96af2bd6.zip
net: ipv4: remove erroneous advancement of list pointer
Causes crash when lifetime expires on an adress as garbage is dereferenced soon after. This used to look like this: for (ifap = &ifa->ifa_dev->ifa_list; *ifap != NULL; ifap = &(*ifap)->ifa_next) { if (*ifap == ifa) ... but this was changed to: struct in_ifaddr *tmp; ifap = &ifa->ifa_dev->ifa_list; tmp = rtnl_dereference(*ifap); while (tmp) { tmp = rtnl_dereference(tmp->ifa_next); // Bogus if (rtnl_dereference(*ifap) == ifa) { ... ifap = &tmp->ifa_next; // Can be NULL tmp = rtnl_dereference(*ifap); // Dereference } } Remove the bogus assigment/list entry skip. Fixes: 2638eb8b50cf ("net: ipv4: provide __rcu annotation for ifa_list") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/devinet.c')
-rw-r--r--net/ipv4/devinet.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 925dffa915cb..914ccc7f192a 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -745,8 +745,7 @@ static void check_lifetime(struct work_struct *work)
ifap = &ifa->ifa_dev->ifa_list;
tmp = rtnl_dereference(*ifap);
while (tmp) {
- tmp = rtnl_dereference(tmp->ifa_next);
- if (rtnl_dereference(*ifap) == ifa) {
+ if (tmp == ifa) {
inet_del_ifa(ifa->ifa_dev,
ifap, 1);
break;