* [PATCH net] tipc: fix NULL deref in tipc_named_node_up() on empty publication list
@ 2026-07-05 11:59 Weiming Shi
0 siblings, 0 replies; only message in thread
From: Weiming Shi @ 2026-07-05 11:59 UTC (permalink / raw)
To: Jon Maloy, netdev, tipc-discussion
Cc: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Hoang Huu Le, Xiang Mei, linux-kernel, Weiming Shi
named_distribute() builds the bulk messages for @pls into @list and then
dereferences the tail skb:
hdr = buf_msg(skb_peek_tail(list));
msg_set_last_bulk(hdr);
If @pls is empty no skb is enqueued, skb_peek_tail() returns NULL, and
msg_set_last_bulk() writes through buf_msg(NULL).
tipc_named_node_up() passes &nt->cluster_scope. With a node-id
configuration the TIPC_NODE_STATE name is published by tipc_net_finalize()
from a work item, which sets the node address before publishing the name.
The node accepts links once the address is set, so a link that comes up
before the publish runs named_distribute() on an empty cluster_scope:
KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]
RIP: 0010:tipc_named_node_up (net/tipc/name_distr.c:196)
tipc_named_node_up (net/tipc/name_distr.c:196 net/tipc/name_distr.c:221)
tipc_node_write_unlock (net/tipc/node.c:428)
tipc_rcv (net/tipc/node.c:2185)
tipc_udp_recv (net/tipc/udp_media.c:392)
Kernel panic - not syncing: Fatal exception in interrupt
TIPC genl ops use GENL_UNS_ADMIN_PERM, so an unprivileged user can reach
this from a user+net namespace.
Return early from named_distribute() when the list is empty, and skip
tipc_node_xmit() for an empty chain. The empty chain would otherwise hit
tipc_lxc_xmit() -> buf_msg(skb_peek(list)), the same zero-skb case fixed
for tipc_link_xmit() in commit b77413446408 ("tipc: fix NULL deref in
tipc_link_xmit()").
Fixes: cad2929dc432 ("tipc: update a binding service via broadcast")
Reported-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
---
net/tipc/name_distr.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index ba4f4906e13b..c04fea4650a5 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -192,7 +192,10 @@ static void named_distribute(struct net *net, struct sk_buff_head *list,
skb_trim(skb, INT_H_SIZE + (msg_dsz - msg_rem));
__skb_queue_tail(list, skb);
}
- hdr = buf_msg(skb_peek_tail(list));
+ skb = skb_peek_tail(list);
+ if (!skb)
+ return;
+ hdr = buf_msg(skb);
msg_set_last_bulk(hdr);
msg_set_named_seqno(hdr, seqno);
}
@@ -219,7 +222,8 @@ void tipc_named_node_up(struct net *net, u32 dnode, u16 capabilities)
read_lock_bh(&nt->cluster_scope_lock);
named_distribute(net, &head, dnode, &nt->cluster_scope, seqno);
- tipc_node_xmit(net, &head, dnode, 0);
+ if (!skb_queue_empty(&head))
+ tipc_node_xmit(net, &head, dnode, 0);
read_unlock_bh(&nt->cluster_scope_lock);
}
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-07-05 12:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-05 11:59 [PATCH net] tipc: fix NULL deref in tipc_named_node_up() on empty publication list Weiming Shi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox