Skip to main content

Browse the archive

Revision 27de809a3d83a6199664479ebb19712533d6fd9b authored by Björn Töpel on 28 October 2021, 12:51:15 UTC, committed by Jakub Kicinski on 28 October 2021, 15:14:30 UTC 
riscv, bpf: Fix potential NULL dereference
 
The bpf_jit_binary_free() function requires a non-NULL argument. When
the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps,
jit_data->header will be NULL, which triggers a NULL
dereference. Avoid this by checking the argument, prior calling the
function.

Fixes: ca6cb5447cec ("riscv, bpf: Factor common RISC-V JIT code")
Signed-off-by: Björn Töpel <bjorn@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20211028125115.514587-1-bjorn@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent 20af886
Raw File
nr_loopback.c 
// SPDX-License-Identifier: GPL-2.0-or-later
/*
 *
 * Copyright Tomi Manninen OH2BNS (oh2bns@sral.fi)
 */
#include <linux/types.h>
#include <linux/slab.h>
#include <linux/socket.h>
#include <linux/timer.h>
#include <net/ax25.h>
#include <linux/skbuff.h>
#include <net/netrom.h>
#include <linux/init.h>

static void nr_loopback_timer(struct timer_list *);

static struct sk_buff_head loopback_queue;
static DEFINE_TIMER(loopback_timer, nr_loopback_timer);

void __init nr_loopback_init(void)
{
	skb_queue_head_init(&loopback_queue);
}

static inline int nr_loopback_running(void)
{
	return timer_pending(&loopback_timer);
}

int nr_loopback_queue(struct sk_buff *skb)
{
	struct sk_buff *skbn;

	if ((skbn = alloc_skb(skb->len, GFP_ATOMIC)) != NULL) {
		skb_copy_from_linear_data(skb, skb_put(skbn, skb->len), skb->len);
		skb_reset_transport_header(skbn);

		skb_queue_tail(&loopback_queue, skbn);

		if (!nr_loopback_running())
			mod_timer(&loopback_timer, jiffies + 10);
	}

	kfree_skb(skb);
	return 1;
}

static void nr_loopback_timer(struct timer_list *unused)
{
	struct sk_buff *skb;
	ax25_address *nr_dest;
	struct net_device *dev;

	if ((skb = skb_dequeue(&loopback_queue)) != NULL) {
		nr_dest = (ax25_address *)(skb->data + 7);

		dev = nr_dev_get(nr_dest);

		if (dev == NULL || nr_rx_frame(skb, dev) == 0)
			kfree_skb(skb);

		dev_put(dev);

		if (!skb_queue_empty(&loopback_queue) && !nr_loopback_running())
			mod_timer(&loopback_timer, jiffies + 10);
	}
}

void nr_loopback_clear(void)
{
	del_timer_sync(&loopback_timer);
	skb_queue_purge(&loopback_queue);
}
back to top