From: Tommi Rantala <tommi.t.rant...@nokia.com>
Date: Tue, 28 Nov 2017 14:53:15 +0200
> Call tipc_rcv() only if bearer is up in tipc_udp_recv().
> Fixes a rare TIPC div-by-zero crash in tipc_node_calculate_timer():
>
> We're enabling a bearer, but it's not yet up and fully initialized.
> At the same time we receive a discovery packet, and in tipc_udp_recv()
> we end up calling tipc_rcv() with the not-yet-initialized bearer,
> causing later a div-by-zero crash in tipc_node_calculate_timer().
You're also now ignoring any error being returned by tipc_udp_rcast_disc().
> -
> - if (unlikely(msg_user(hdr) == LINK_CONFIG)) {
> - err = tipc_udp_rcast_disc(b, skb);
> - if (err)
> - goto rcu_out;
> + } else {
> + if (unlikely(b && msg_user(hdr) == LINK_CONFIG))
> + tipc_udp_rcast_disc(b, skb);
> + kfree_skb(skb);
> }
Either put the 'err' propagation back or clearly explain in your
commit log message why this part of the change if absolutely essential
for this bug fix.
Thank you.
