net: rtnl: return early from rtnl_unregister_all when protocol isn't registered

rtnl_unregister_all(PF_INET6) gets called from inet6_init in cases when no handler has been registered for PF_INET6 yet, for example if ip6_mr_init() fails. Abort and avoid a NULL pointer deref in that case. Example of panic (triggered by faking a failure of register_pernet_subsys): general protection fault: 0000 [#1] PREEMPT SMP KASAN PTI [...] RIP: 0010:rtnl_unregister_all+0x17e/0x2a0 [...] Call Trace: ? rtnetlink_net_init+0x250/0x250 ? sock_unregister+0x103/0x160 ? kernel_getsockopt+0x200/0x200 inet6_init+0x197/0x20d Fixes: e2fddf5e96df ("[IPV6]: Make af_inet6 to check ip6_route_init return value.") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Sabrina Dubroca <sd@queasysnail.net> 2018-08-28 13:40:53 +0200
committer: David S. Miller <davem@davemloft.net> 2018-08-29 19:28:55 -0700
commit: f707ef61e17261f2bb18c3e4871c6f135ab3aba9 (patch)
tree: 45c00ac0e6e8a7daaf4f47761d6f6f355271d815
parent: a03dc36bdca6b614651fedfcd8559cf914d2d21d (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 24431e578310..60c928894a78 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -324,6 +324,10 @@ void rtnl_unregister_all(int protocol)
 
 	rtnl_lock();
 	tab = rtnl_msg_handlers[protocol];
+	if (!tab) {
+		rtnl_unlock();
+		return;
+	}
 	RCU_INIT_POINTER(rtnl_msg_handlers[protocol], NULL);
 	for (msgindex = 0; msgindex < RTM_NR_MSGTYPES; msgindex++) {
 		link = tab[msgindex];
author	Sabrina Dubroca <sd@queasysnail.net>	2018-08-28 13:40:53 +0200
committer	David S. Miller <davem@davemloft.net>	2018-08-29 19:28:55 -0700
commit	f707ef61e17261f2bb18c3e4871c6f135ab3aba9 (patch)
tree	45c00ac0e6e8a7daaf4f47761d6f6f355271d815
parent	a03dc36bdca6b614651fedfcd8559cf914d2d21d (diff)