Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ccbd3dbe authored by David Howells's avatar David Howells
Browse files

rxrpc: Fix a potential NULL-pointer deref in rxrpc_abort_calls 



The call pointer in a channel on a connection will be NULL if there's no
active call on that channel.  rxrpc_abort_calls() needs to check for this
before trying to take the call's state_lock.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 3201a39b

net/rxrpc/conn_event.c

+15 −11
Original line number Diff line number Diff line
@@ -149,20 +149,24 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn, int state, 
		call = rcu_dereference_protected(

			conn->channels[i].call,

			lockdep_is_held(&conn->channel_lock));

		if (call) {

			write_lock_bh(&call->state_lock);

			if (call->state <= RXRPC_CALL_COMPLETE) {

				call->state = state;

				if (state == RXRPC_CALL_LOCALLY_ABORTED) {

					call->local_abort = conn->local_abort;

				set_bit(RXRPC_CALL_EV_CONN_ABORT, &call->events);

					set_bit(RXRPC_CALL_EV_CONN_ABORT,

						&call->events);

				} else {

					call->remote_abort = conn->remote_abort;

				set_bit(RXRPC_CALL_EV_RCVD_ABORT, &call->events);

					set_bit(RXRPC_CALL_EV_RCVD_ABORT,

						&call->events);

				}

				rxrpc_queue_call(call);

			}

			write_unlock_bh(&call->state_lock);

		}

	}



	spin_unlock(&conn->channel_lock);

	_leave("");