RxRPC: Fix a potential NULL dereference (15bde727) · Commits · e / devices / android_kernel_oneplus_sm8150

Fix a potential NULL dereference bug during error handling in rxrpc_kernel_begin_call(), whereby rxrpc_put_transport() may be handed a NULL pointer. This was found with a code checker (http://repo.or.cz/w/smatch.git/ ). Reported-by:

Dan Carpenter <error27@gmail.com> Signed-off-by:

David Howells <dhowells@redhat.com> Signed-off-by:

David S. Miller <davem@davemloft.net>

net/rxrpc/af_rxrpc.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -284,13 +284,13 @@ struct rxrpc_call rxrpc_kernel_begin_call(struct socket sock,
		if (IS_ERR(trans)) {
		call = ERR_CAST(trans);
		trans = NULL;
		goto out;
		goto out_notrans;
		}
		} else {
		trans = rx->trans;
		if (!trans) {
		call = ERR_PTR(-ENOTCONN);
		goto out;
		goto out_notrans;
		}
		atomic_inc(&trans->usage);
		}
		@@ -315,6 +315,7 @@ struct rxrpc_call rxrpc_kernel_begin_call(struct socket sock,
		rxrpc_put_bundle(trans, bundle);
		out:
		rxrpc_put_transport(trans);
		out_notrans:
		release_sock(&rx->sk);
		_leave(" = %p", call);
		return call;