rionet: NULL pointer dereference

From: Jesper Juhl
Date: Thu Jun 16 2011 - 18:15:42 EST

Next message: Benjamin Herrenschmidt: "Re: [GIT PULL] Re: REGRESSION: Performance regressions fromswitching anon_vma->lock to mutex"
Previous message: Richard Weinberger: "[PATCH] Fix infinite loop in search_binary_handler()"
Next in thread: Connor Hansen: "Re: rionet: NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

Just noticed that drivers/net/rionet.c::rionet_remove() can cause a NULL
deref when it calls unregister_netdev().
It initializes local variable 'ndev' to NULL and nothing changes this
before the call to unregister_netdev(ndev) - that functions then calls:
unregister_netdevice > unregister_netdevice_queue > list_move_tail >
__list_del_entry which dereferences the pointer (which, being NULL, will
end in tears).

I won't claim to know this code nor what the proper fix is; just thought
i'd report it so someone else with more knowledge of this could perhaps
come up with a fix.

Have a nice day.

--
Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Benjamin Herrenschmidt: "Re: [GIT PULL] Re: REGRESSION: Performance regressions fromswitching anon_vma->lock to mutex"
Previous message: Richard Weinberger: "[PATCH] Fix infinite loop in search_binary_handler()"
Next in thread: Connor Hansen: "Re: rionet: NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]