https://github.com/torvalds/linux
Revision 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 authored by WANG Cong on 07 February 2017, 20:59:46 UTC, committed by David S. Miller on 08 February 2017, 18:58:21 UTC
Andrey reported a kernel crash: general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880060048040 task.stack: ffff880069be8000 RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline] RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837 RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000 RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2 RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0 R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000 FS: 00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0 Call Trace: inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 SYSC_sendto+0x660/0x810 net/socket.c:1687 SyS_sendto+0x40/0x50 net/socket.c:1655 entry_SYSCALL_64_fastpath+0x1f/0xc2 This is because we miss a check for NULL pointer for skb_peek() when the queue is empty. Other places already have the same check. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 9538132
Tip revision: 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 authored by WANG Cong on 07 February 2017, 20:59:46 UTC
ping: fix a null pointer dereference
ping: fix a null pointer dereference
Tip revision: 73d2c66
File | Mode | Size |
---|---|---|
bpf | ||
configs | ||
debug | ||
events | ||
gcov | ||
irq | ||
livepatch | ||
locking | ||
power | ||
printk | ||
rcu | ||
sched | ||
time | ||
trace | ||
.gitignore | -rw-r--r-- | 69 bytes |
Kconfig.freezer | -rw-r--r-- | 52 bytes |
Kconfig.hz | -rw-r--r-- | 1.6 KB |
Kconfig.locks | -rw-r--r-- | 4.8 KB |
Kconfig.preempt | -rw-r--r-- | 2.1 KB |
Makefile | -rw-r--r-- | 4.0 KB |
acct.c | -rw-r--r-- | 15.4 KB |
async.c | -rw-r--r-- | 9.9 KB |
audit.c | -rw-r--r-- | 57.6 KB |
audit.h | -rw-r--r-- | 11.1 KB |
audit_fsnotify.c | -rw-r--r-- | 6.1 KB |
audit_tree.c | -rw-r--r-- | 22.9 KB |
audit_watch.c | -rw-r--r-- | 14.4 KB |
auditfilter.c | -rw-r--r-- | 34.0 KB |
auditsc.c | -rw-r--r-- | 64.7 KB |
backtracetest.c | -rw-r--r-- | 2.1 KB |
bounds.c | -rw-r--r-- | 703 bytes |
capability.c | -rw-r--r-- | 13.9 KB |
cgroup.c | -rw-r--r-- | 176.6 KB |
cgroup_freezer.c | -rw-r--r-- | 12.4 KB |
cgroup_pids.c | -rw-r--r-- | 8.9 KB |
compat.c | -rw-r--r-- | 29.7 KB |
configs.c | -rw-r--r-- | 2.8 KB |
context_tracking.c | -rw-r--r-- | 6.3 KB |
cpu.c | -rw-r--r-- | 44.1 KB |
cpu_pm.c | -rw-r--r-- | 6.5 KB |
cpuset.c | -rw-r--r-- | 76.5 KB |
crash_dump.c | -rw-r--r-- | 1.3 KB |
cred.c | -rw-r--r-- | 21.5 KB |
delayacct.c | -rw-r--r-- | 4.5 KB |
dma.c | -rw-r--r-- | 3.6 KB |
elfcore.c | -rw-r--r-- | 396 bytes |
exec_domain.c | -rw-r--r-- | 1.4 KB |
exit.c | -rw-r--r-- | 43.4 KB |
extable.c | -rw-r--r-- | 4.0 KB |
fork.c | -rw-r--r-- | 55.9 KB |
freezer.c | -rw-r--r-- | 4.4 KB |
futex.c | -rw-r--r-- | 89.4 KB |
futex_compat.c | -rw-r--r-- | 4.5 KB |
groups.c | -rw-r--r-- | 5.2 KB |
hung_task.c | -rw-r--r-- | 5.9 KB |
irq_work.c | -rw-r--r-- | 4.4 KB |
jump_label.c | -rw-r--r-- | 15.4 KB |
kallsyms.c | -rw-r--r-- | 15.7 KB |
kcmp.c | -rw-r--r-- | 4.4 KB |
kcov.c | -rw-r--r-- | 7.3 KB |
kexec.c | -rw-r--r-- | 6.8 KB |
kexec_core.c | -rw-r--r-- | 39.6 KB |
kexec_file.c | -rw-r--r-- | 25.4 KB |
kexec_internal.h | -rw-r--r-- | 861 bytes |
kmod.c | -rw-r--r-- | 19.1 KB |
kprobes.c | -rw-r--r-- | 60.7 KB |
ksysfs.c | -rw-r--r-- | 6.2 KB |
kthread.c | -rw-r--r-- | 32.0 KB |
latencytop.c | -rw-r--r-- | 7.8 KB |
membarrier.c | -rw-r--r-- | 2.4 KB |
memremap.c | -rw-r--r-- | 12.0 KB |
module-internal.h | -rw-r--r-- | 458 bytes |
module.c | -rw-r--r-- | 109.4 KB |
module_signing.c | -rw-r--r-- | 2.2 KB |
notifier.c | -rw-r--r-- | 16.3 KB |
nsproxy.c | -rw-r--r-- | 6.4 KB |
padata.c | -rw-r--r-- | 25.3 KB |
panic.c | -rw-r--r-- | 15.7 KB |
params.c | -rw-r--r-- | 24.1 KB |
pid.c | -rw-r--r-- | 15.0 KB |
pid_namespace.c | -rw-r--r-- | 11.0 KB |
profile.c | -rw-r--r-- | 14.7 KB |
ptrace.c | -rw-r--r-- | 32.3 KB |
range.c | -rw-r--r-- | 3.0 KB |
reboot.c | -rw-r--r-- | 13.3 KB |
relay.c | -rw-r--r-- | 32.1 KB |
resource.c | -rw-r--r-- | 39.3 KB |
seccomp.c | -rw-r--r-- | 23.6 KB |
signal.c | -rw-r--r-- | 94.5 KB |
smp.c | -rw-r--r-- | 21.0 KB |
smpboot.c | -rw-r--r-- | 13.3 KB |
smpboot.h | -rw-r--r-- | 601 bytes |
softirq.c | -rw-r--r-- | 19.0 KB |
stacktrace.c | -rw-r--r-- | 1.7 KB |
stop_machine.c | -rw-r--r-- | 17.1 KB |
sys.c | -rw-r--r-- | 57.3 KB |
sys_ni.c | -rw-r--r-- | 7.2 KB |
sysctl.c | -rw-r--r-- | 67.3 KB |
sysctl_binary.c | -rw-r--r-- | 50.9 KB |
task_work.c | -rw-r--r-- | 3.3 KB |
taskstats.c | -rw-r--r-- | 15.0 KB |
test_kprobes.c | -rw-r--r-- | 7.4 KB |
torture.c | -rw-r--r-- | 21.0 KB |
tracepoint.c | -rw-r--r-- | 14.6 KB |
tsacct.c | -rw-r--r-- | 5.1 KB |
ucount.c | -rw-r--r-- | 5.5 KB |
uid16.c | -rw-r--r-- | 5.0 KB |
up.c | -rw-r--r-- | 2.0 KB |
user-return-notifier.c | -rw-r--r-- | 1.3 KB |
user.c | -rw-r--r-- | 5.4 KB |
user_namespace.c | -rw-r--r-- | 27.3 KB |
utsname.c | -rw-r--r-- | 3.6 KB |
utsname_sysctl.c | -rw-r--r-- | 3.0 KB |
watchdog.c | -rw-r--r-- | 22.7 KB |
watchdog_hld.c | -rw-r--r-- | 6.3 KB |
workqueue.c | -rw-r--r-- | 154.5 KB |
workqueue_internal.h | -rw-r--r-- | 2.2 KB |
Computing file changes ...