From patchwork Mon Aug 8 10:13:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 101971 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp3136234qga; Mon, 8 Aug 2016 03:14:12 -0700 (PDT) X-Received: by 10.98.86.154 with SMTP id h26mr161216629pfj.22.1470651252272; Mon, 08 Aug 2016 03:14:12 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g5si36391162pfj.152.2016.08.08.03.14.12; Mon, 08 Aug 2016 03:14:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752316AbcHHKOJ (ORCPT + 27 others); Mon, 8 Aug 2016 06:14:09 -0400 Received: from mout.kundenserver.de ([212.227.126.187]:54243 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751670AbcHHKOI (ORCPT ); Mon, 8 Aug 2016 06:14:08 -0400 Received: from wuerfel.lan. ([78.42.132.4]) by mrelayeu.kundenserver.de (mreue002) with ESMTPA (Nemesis) id 0Lv638-1b6xEw1vKk-010JPi; Mon, 08 Aug 2016 12:14:00 +0200 From: Arnd Bergmann To: "David S. Miller" , David Howells Cc: Arnd Bergmann , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [net] rxrpc: fix uninitialized pointer dereference in debug code Date: Mon, 8 Aug 2016 12:13:45 +0200 Message-Id: <20160808101357.1583011-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:CaSCCcPPw/pyjpqNlcHtiLluFVL4OEwe8dBTqAG3Oi+aZkApuZg 6syVnfmPIO9zcOopsDj6Ac+FSYImckQ6E4CZJC39z1Cq//5+CXGFO0iak2DM/vbWOzoSK03 x3Bv/NXGDmy8DGZ0YrsjKj+zDHM1SaBCjOhXQUwFn9ktVg5x/ajsXSAUwbC2VAT+gqAWFA3 QEa8m9dbCEkdFgd1IG4pQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:P0RxePNq0Eg=:8vw9zShNwDM+LWUYyqqAM3 F/6E7G4tdc5Ioj6uuKC4mDtAcB1zgl6f8VoN6nVpigZXKNGQn0jLTUly4Cz2nntsxFVF25pWl bYgO3cU4/9hdZvkuO/uDdtlCqukwzD8GHadwXS2PTPgPGCXxMMvnhnNZ62vVqyzr6PX4fbK+x djFLuiHSUwoSdTCw3QGBcbbkAXLsnHc/WpzD+sumsAC3X+TEJaaoKjDxVEc6/iy1YUN1KIM1H 8M17I8kOwAgHTdRN1I6wxYyj8jxcY2uwsgt3TQd+ORcFwNi+ON09K4BK0KagmSq+82J/ui0Bc vg3/85SrU5SfMRVYt64VqK6IM3uO4UH49CR+/jHJ/7IL3dHbTfQ9wxnoNSGDLHeAd0K1zx/xM LjWrPM6xDwdSB3yg495dgh9mgfQ06MNed0feFmLIdMUCur3/v5sVCF4+R9TBHyRE9Ig2gwSFI pwx6upZNS36KBdFAH+LGG5KXX0T5xAiVv3i/ujeYtFVUlH3UGzC3LltAMOotz4iWz1XZQykKY miKtaW/yjzYrqgxaC3Ykg34RzmGp21IvF28LeX+P2J3pmfV3nOiGiQB8bLhVFUVTfF2H7bADn usdfvA7Hbwe0RN2JsjzB2rG4FRXArUUh/OZ1C71crFuSgyeAWeQULnw34hgz/RKqVeoiTTk0U ve4/a1V2+ELyqmCxGdncUljRAJaJbqUDAvxQ5ql0mKjpRT6Be+g2oY7X6g4kfffopbmg= Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A newly added bugfix caused an uninitialized variable to be used for printing debug output. This is harmless as long as the debug setting is disabled, but otherwise leads to an immediate crash. gcc warns about this when -Wmaybe-uninitialized is enabled: net/rxrpc/call_object.c: In function 'rxrpc_release_call': net/rxrpc/call_object.c:496:163: error: 'sp' may be used uninitialized in this function [-Werror=maybe-uninitialized] The initialization was removed but one of the users remains. This adds back the initialization. Signed-off-by: Arnd Bergmann Fixes: 372ee16386bb ("rxrpc: Fix races between skb free, ACK generation and replying") --- I have not tried to understand the longish bugfix patch that caused this, so I'm not sure whether it's actually safe to access rxrpc_skb(skb) in this function. Please check if this is the right fix. --- net/rxrpc/call_object.c | 1 + 1 file changed, 1 insertion(+) -- 2.9.0 diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c index c47f14fc5e88..e8c953c48cb8 100644 --- a/net/rxrpc/call_object.c +++ b/net/rxrpc/call_object.c @@ -493,6 +493,7 @@ void rxrpc_release_call(struct rxrpc_call *call) (skb = skb_dequeue(&call->rx_oos_queue))) { spin_unlock_bh(&call->lock); + sp = rxrpc_skb(skb); _debug("- zap %s %%%u #%u", rxrpc_pkts[sp->hdr.type], sp->hdr.serial, sp->hdr.seq);