blob: 83dca2e42c6aa16a8d0d113432cfdd1950a53e35 [file] [log] [blame]
From javier.martinez@collabora.co.uk Thu Jun 6 03:26:26 2013
From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Date: Thu, 6 Jun 2013 12:25:50 +0200
Subject: [PATCH 2/6] netfilter: nfdbus: fix NULL pointer dereference when releasing a name
To: Greg KH <gregkh@linuxfoundation.org>
Cc: ltsi-dev@lists.linuxfoundation.org, Alban Crequy <alban.crequy@collabora.co.uk>
Message-ID: <1370514354-19114-3-git-send-email-javier.martinez@collabora.co.uk>
From: Alban Crequy <alban.crequy@collabora.co.uk>
When a name was requested and then released, a "Unable to handle
kernel NULL pointer dereference at virtual address 00000000" error
was raised:
[ 1862.609374] [<c02cb34c>] (strcmp+0x10/0x48) from [<bf1460b0>] (bus_matchmaker_remove_name+0x30/0x6c [netfilter_dbus])
[ 1862.620605] [<bf1460b0>] (bus_matchmaker_remove_name+0x30/0x6c [netfilter_dbus]) from [<bf144790>] (dbus_filter+0x194/0x274 [netfilter_dbus])
[ 1862.634033] [<bf144790>] (dbus_filter+0x194/0x274 [netfilter_dbus]) from [<c04d1b20>] (nf_iterate+0x60/0x98)
[ 1862.644409] [<c04d1b20>] (nf_iterate+0x60/0x98) from [<c04d1bc4>] (nf_hook_slow+0x6c/0x120)
[ 1862.653259] [<c04d1bc4>] (nf_hook_slow+0x6c/0x120) from [<bf13a5d4>] (bus_sendmsg+0xe04/0xfc0 [af_bus])
[ 1862.663208] [<bf13a5d4>] (bus_sendmsg+0xe04/0xfc0 [af_bus]) from [<c04956d4>] (sock_sendmsg+0xc4/0xec)
[ 1862.673034] [<c04956d4>] (sock_sendmsg+0xc4/0xec) from [<c04959b0>] (__sys_sendmsg+0x1f4/0x2a8)
[ 1862.682220] [<c04959b0>] (__sys_sendmsg+0x1f4/0x2a8) from [<c0497470>] (sys_sendmsg+0x4c/0x70)
[ 1862.691345] [<c0497470>] (sys_sendmsg+0x4c/0x70) from [<c00138f0>] (__sys_trace_return+0x0/0x30)
Signed-off-by: Alban Crequy <alban.crequy@collabora.co.uk>
---
net/bus/nfdbus/nfdbus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bus/nfdbus/nfdbus.c
+++ b/net/bus/nfdbus/nfdbus.c
@@ -171,7 +171,7 @@ static unsigned int dbus_filter(unsigned
sendctx->recipient);
sender = find_match_maker(sendctx->sender, true, false);
- bus_matchmaker_remove_name(sender, msg.name_acquired);
+ bus_matchmaker_remove_name(sender, msg.name_lost);
}
pr_debug("AF_BUS packet '%s' from the bus master. ACCEPT.\n",