ipv4: ipmr: fix NULL pointer deref during unres queue destruction

Fix an oversight in ipmr_destroy_unres() - the net pointer is unconditionally initialized to NULL, resulting in a NULL pointer dereference later on. Fix by adding a net pointer to struct mr_table and using it in ipmr_destroy_unres(). Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2010-04-15 07:29:28 -0400
committer: Patrick McHardy <kaber@trash.net> 2010-04-15 07:31:29 -0400
commit: 8de53dfbf9a0a0f7538c005137059c5c021476e1 (patch)
tree: 51fbba0b36a24feac02fa76d4deaecfcdece7c7f /net/ipv4/ipmr.c
parent: b0ebb739a8f68039f03e80b3476b204fe5adf0d7 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 0643fb6d47c4..7d8a2bcecb76 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -71,6 +71,9 @@
 struct mr_table {
        struct list_head        list;
+#ifdef CONFIG_NET_NS
+        struct net              *net;
+#endif
        u32                     id;
        struct sock             *mroute_sk;
        struct timer_list       ipmr_expire_timer;
@@ -308,6 +311,7 @@ static struct mr_table *ipmr_new_table(struct net *net, u32 id)
        mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
        if (mrt == NULL)
                return NULL;
+        write_pnet(&mrt->net, net);
        mrt->id = id;
        /* Forwarding cache */
@@ -580,7 +584,7 @@ static inline void ipmr_cache_free(struct mfc_cache *c)
 static void ipmr_destroy_unres(struct mr_table *mrt, struct mfc_cache *c)
 {
-        struct net *net = NULL; //mrt->net;
+        struct net *net = read_pnet(&mrt->net);
        struct sk_buff *skb;
        struct nlmsgerr *e;
author	Patrick McHardy <kaber@trash.net>	2010-04-15 07:29:28 -0400
committer	Patrick McHardy <kaber@trash.net>	2010-04-15 07:31:29 -0400
commit	8de53dfbf9a0a0f7538c005137059c5c021476e1 (patch)
tree	51fbba0b36a24feac02fa76d4deaecfcdece7c7f /net/ipv4/ipmr.c
parent	b0ebb739a8f68039f03e80b3476b204fe5adf0d7 (diff)