[PATCH net] net: prevent NULL pointer dereference in rt_fibinfo_free() and rt_fibinfo_free_cpus()
From: Jeongjun Park
Date: Mon Sep 09 2024 - 14:48:46 EST
rt_fibinfo_free() and rt_fibinfo_free_cpus() only check for rt and do not
verify rt->dst and use it, which will result in NULL pointer dereference.
Therefore, to prevent this, we need to add a check for rt->dst.
Fixes: 0830106c5390 ("ipv4: take dst->__refcnt when caching dst in fib")
Fixes: c5038a8327b9 ("ipv4: Cache routes in nexthop exception entries.")
Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
---
net/ipv4/fib_semantics.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 2b57cd2b96e2..3a2a92599366 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -153,6 +153,8 @@ static void rt_fibinfo_free(struct rtable __rcu **rtp)
if (!rt)
return;
+ if (!&rt->dst)
+ return;
/* Not even needed : RCU_INIT_POINTER(*rtp, NULL);
* because we waited an RCU grace period before calling
@@ -202,10 +204,13 @@ static void rt_fibinfo_free_cpus(struct rtable __rcu * __percpu *rtp)
struct rtable *rt;
rt = rcu_dereference_protected(*per_cpu_ptr(rtp, cpu), 1);
- if (rt) {
- dst_dev_put(&rt->dst);
- dst_release_immediate(&rt->dst);
- }
+ if (!rt)
+ continue;
+ if (!&rt->dst)
+ continue;
+
+ dst_dev_put(&rt->dst);
+ dst_release_immediate(&rt->dst);
}
free_percpu(rtp);
}
--