rxrpc: Fix a potential NULL-pointer deref in rxrpc_abort_calls

The call pointer in a channel on a connection will be NULL if there's no active call on that channel. rxrpc_abort_calls() needs to check for this before trying to take the call's state_lock. Signed-off-by: David Howells <dhowells@redhat.com>

rxrpc: Fix a potential NULL-pointer deref in rxrpc_abort_calls
The call pointer in a channel on a connection will be NULL if there's no active call on that channel. rxrpc_abort_calls() needs to check for this before trying to take the call's state_lock. Signed-off-by: David Howells <dhowells@redhat.com>
ccbd3dbe · David Howells · 3201a39b · ccbd3dbe
Commit ccbd3dbe authored Aug 30, 2016 by David Howells
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 11 deletions

net/rxrpc/conn_event.c net/rxrpc/conn_event.c +15 -11

No files found.
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -149,20 +149,24 @@ static void rxrpc_abort_calls(struct rxrpc_connection *conn, int state,
 		call = rcu_dereference_protected(
 			conn->channels[i].call,
 			lockdep_is_held(&conn->channel_lock));
+		if (call) {
 			write_lock_bh(&call->state_lock);
 			if (call->state <= RXRPC_CALL_COMPLETE) {
 				call->state = state;
 				if (state == RXRPC_CALL_LOCALLY_ABORTED) {
 					call->local_abort = conn->local_abort;
-				set_bit(RXRPC_CALL_EV_CONN_ABORT, &call->events);
+					set_bit(RXRPC_CALL_EV_CONN_ABORT,
+						&call->events);
 				} else {
 					call->remote_abort = conn->remote_abort;
-				set_bit(RXRPC_CALL_EV_RCVD_ABORT, &call->events);
+					set_bit(RXRPC_CALL_EV_RCVD_ABORT,
+						&call->events);
 				}
 				rxrpc_queue_call(call);
 			}
 			write_unlock_bh(&call->state_lock);
 		}
+	}
 	spin_unlock(&conn->channel_lock);
 	_leave("");