Netdev List
 help / color / mirror / Atom feed
* [PATCH net] tipc: fix NULL deref in tipc_named_node_up() on empty publication list
@ 2026-07-05 11:59 Weiming Shi
  0 siblings, 0 replies; only message in thread
From: Weiming Shi @ 2026-07-05 11:59 UTC (permalink / raw)
  To: Jon Maloy, netdev, tipc-discussion
  Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Hoang Huu Le, Xiang Mei, linux-kernel, Weiming Shi

named_distribute() builds the bulk messages for @pls into @list and then
dereferences the tail skb:

	hdr = buf_msg(skb_peek_tail(list));
	msg_set_last_bulk(hdr);

If @pls is empty no skb is enqueued, skb_peek_tail() returns NULL, and
msg_set_last_bulk() writes through buf_msg(NULL).

tipc_named_node_up() passes &nt->cluster_scope. With a node-id
configuration the TIPC_NODE_STATE name is published by tipc_net_finalize()
from a work item, which sets the node address before publishing the name.
The node accepts links once the address is set, so a link that comes up
before the publish runs named_distribute() on an empty cluster_scope:

 KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]
 RIP: 0010:tipc_named_node_up (net/tipc/name_distr.c:196)
  tipc_named_node_up (net/tipc/name_distr.c:196 net/tipc/name_distr.c:221)
  tipc_node_write_unlock (net/tipc/node.c:428)
  tipc_rcv (net/tipc/node.c:2185)
  tipc_udp_recv (net/tipc/udp_media.c:392)
 Kernel panic - not syncing: Fatal exception in interrupt

TIPC genl ops use GENL_UNS_ADMIN_PERM, so an unprivileged user can reach
this from a user+net namespace.

Return early from named_distribute() when the list is empty, and skip
tipc_node_xmit() for an empty chain. The empty chain would otherwise hit
tipc_lxc_xmit() -> buf_msg(skb_peek(list)), the same zero-skb case fixed
for tipc_link_xmit() in commit b77413446408 ("tipc: fix NULL deref in
tipc_link_xmit()").

Fixes: cad2929dc432 ("tipc: update a binding service via broadcast")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
 net/tipc/name_distr.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index ba4f4906e13b..c04fea4650a5 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -192,7 +192,10 @@ static void named_distribute(struct net *net, struct sk_buff_head *list,
 		skb_trim(skb, INT_H_SIZE + (msg_dsz - msg_rem));
 		__skb_queue_tail(list, skb);
 	}
-	hdr = buf_msg(skb_peek_tail(list));
+	skb = skb_peek_tail(list);
+	if (!skb)
+		return;
+	hdr = buf_msg(skb);
 	msg_set_last_bulk(hdr);
 	msg_set_named_seqno(hdr, seqno);
 }
@@ -219,7 +222,8 @@ void tipc_named_node_up(struct net *net, u32 dnode, u16 capabilities)
 
 	read_lock_bh(&nt->cluster_scope_lock);
 	named_distribute(net, &head, dnode, &nt->cluster_scope, seqno);
-	tipc_node_xmit(net, &head, dnode, 0);
+	if (!skb_queue_empty(&head))
+		tipc_node_xmit(net, &head, dnode, 0);
 	read_unlock_bh(&nt->cluster_scope_lock);
 }
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-07-05 12:00 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-05 11:59 [PATCH net] tipc: fix NULL deref in tipc_named_node_up() on empty publication list Weiming Shi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox