CVE-2022-49664

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: move bc link creation back to tipc_node_create<br /> <br /> Shuang Li reported a NULL pointer dereference crash:<br /> <br /> [] BUG: kernel NULL pointer dereference, address: 0000000000000068<br /> [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]<br /> [] Call Trace:<br /> [] <br /> [] tipc_bcast_rcv+0xa2/0x190 [tipc]<br /> [] tipc_node_bc_rcv+0x8b/0x200 [tipc]<br /> [] tipc_rcv+0x3af/0x5b0 [tipc]<br /> [] tipc_udp_recv+0xc7/0x1e0 [tipc]<br /> <br /> It was caused by the &amp;#39;l&amp;#39; passed into tipc_bcast_rcv() is NULL. When it<br /> creates a node in tipc_node_check_dest(), after inserting the new node<br /> into hashtable in tipc_node_create(), it creates the bc link. However,<br /> there is a gap between this insert and bc link creation, a bc packet<br /> may come in and get the node from the hashtable then try to dereference<br /> its bc link, which is NULL.<br /> <br /> This patch is to fix it by moving the bc link creation before inserting<br /> into the hashtable.<br /> <br /> Note that for a preliminary node becoming "real", the bc link creation<br /> should also be called before it&amp;#39;s rehashed, as we don&amp;#39;t create it for<br /> preliminary nodes.