RxRPC: Fix a potential NULL dereference
Fix a potential NULL dereference bug during error handling in rxrpc_kernel_begin_call(), whereby rxrpc_put_transport() may be handed a NULL pointer. This was found with a code checker (http://repo.or.cz/w/smatch.git/). Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
355423d084
commit
15bde72738
|
@ -284,13 +284,13 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
|
|||
if (IS_ERR(trans)) {
|
||||
call = ERR_CAST(trans);
|
||||
trans = NULL;
|
||||
goto out;
|
||||
goto out_notrans;
|
||||
}
|
||||
} else {
|
||||
trans = rx->trans;
|
||||
if (!trans) {
|
||||
call = ERR_PTR(-ENOTCONN);
|
||||
goto out;
|
||||
goto out_notrans;
|
||||
}
|
||||
atomic_inc(&trans->usage);
|
||||
}
|
||||
|
@ -315,6 +315,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
|
|||
rxrpc_put_bundle(trans, bundle);
|
||||
out:
|
||||
rxrpc_put_transport(trans);
|
||||
out_notrans:
|
||||
release_sock(&rx->sk);
|
||||
_leave(" = %p", call);
|
||||
return call;
|
||||
|
|
Loading…
Reference in New Issue
Block a user