From: Xin Long <lucien.xin@gmail.com> mainline inclusion from mainline-v5.3-rc1 commit d2c3a4ba25fbfb6b2c7b5fe423be1b287954cd4c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAPI CVE: CVE-2024-56642 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ------------------------------------------------- Both tipc_udp_enable and tipc_udp_disable are called under rtnl_lock, ub->ubsock could never be NULL in tipc_udp_disable and cleanup_bearer, so remove the check. Also remove the one in tipc_udp_enable by adding "free" label. Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: net/tipc/udp_media.c [Did not backport e9c1a793210f2.] Signed-off-by: Liu Jian <liujian56@huawei.com> --- net/tipc/udp_media.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c index c01dcf9746be1..ca5bac6dcbea2 100644 --- a/net/tipc/udp_media.c +++ b/net/tipc/udp_media.c @@ -753,12 +753,12 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b, else err = tipc_udp_rcast_add(b, &remote); if (err) - goto err; + goto free; return 0; +free: + udp_tunnel_sock_release(ub->ubsock); err: - if (ub->ubsock) - udp_tunnel_sock_release(ub->ubsock); kfree(ub); return err; } @@ -775,8 +775,7 @@ static void cleanup_bearer(struct work_struct *work) } atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count); - if (ub->ubsock) - udp_tunnel_sock_release(ub->ubsock); + udp_tunnel_sock_release(ub->ubsock); synchronize_net(); kfree(ub); } @@ -791,8 +790,7 @@ static void tipc_udp_disable(struct tipc_bearer *b) pr_err("UDP bearer instance not found\n"); return; } - if (ub->ubsock) - sock_set_flag(ub->ubsock->sk, SOCK_DEAD); + sock_set_flag(ub->ubsock->sk, SOCK_DEAD); RCU_INIT_POINTER(ub->bearer, NULL); /* sock_release need to be done outside of rtnl lock */ -- 2.34.1