Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756035AbcCAX4p (ORCPT ); Tue, 1 Mar 2016 18:56:45 -0500 Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:56744 "EHLO mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755981AbcCAX4h (ORCPT ); Tue, 1 Mar 2016 18:56:37 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=linuxfoundation.org; b=TQceiglM+XJdzzIJ+TmDFnSDJ2U0WI4zi0NdyIvorPlqjrUN8x4xfdLutOz4DFiVcqB1QY/zq1rf lDMMyDNMP+WoT4ym2sMxL8BYZxH1IqAP4WSZZaDp3mH7DZAs30+/hgeY4edfxItZ3lu3fgsxunj0 0p27cQy+725v0faVock=; From: Greg Kroah-Hartman Subject: [PATCH 4.4 150/342] Bluetooth: 6lowpan: Fix kernel NULL pointer dereferences X-Mailer: git-send-email 2.7.2 To: Cc: Greg Kroah-Hartman , , Glenn Ruben Bakke , Lukasz Duda , Jukka Rissanen , Johan Hedberg Message-Id: <20160301234532.817504202@linuxfoundation.org> In-Reply-To: <20160301234527.990448862@linuxfoundation.org> References: <20160301234527.990448862@linuxfoundation.org> X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30481620.c767beb85ede4f7ba3dcda822164e0de X-Mandrill-User: md_30481620 Date: Tue, 01 Mar 2016 23:54:33 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2758 Lines: 85 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Glenn Ruben Bakke commit 4c58f3282e3de43d34f8955f8eca676294380bf9 upstream. The fixes provided in this patch assigns a valid net_device structure to skb before dispatching it for further processing. Scenario #1: ============ Bluetooth 6lowpan receives an uncompressed IPv6 header, and dispatches it to netif. The following error occurs: Null pointer dereference error #1 crash log: [ 845.854013] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 845.855785] IP: [] enqueue_to_backlog+0x56/0x240 ... [ 845.909459] Call Trace: [ 845.911678] [] netif_rx_internal+0x44/0xf0 The first modification fixes the NULL pointer dereference error by assigning dev to the local_skb in order to set a valid net_device before processing the skb by netif_rx_ni(). Scenario #2: ============ Bluetooth 6lowpan receives an UDP compressed message which needs further decompression by nhc_udp. The following error occurs: Null pointer dereference error #2 crash log: [ 63.295149] BUG: unable to handle kernel NULL pointer dereference at 0000000000000840 [ 63.295931] IP: [] udp_uncompress+0x320/0x626 [nhc_udp] The second modification fixes the NULL pointer dereference error by assigning dev to the local_skb in the case of a udp compressed packet. The 6lowpan udp_uncompress function expects that the net_device is set in the skb when checking lltype. Signed-off-by: Glenn Ruben Bakke Signed-off-by: Lukasz Duda Acked-by: Jukka Rissanen Signed-off-by: Johan Hedberg Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/6lowpan.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -317,6 +317,7 @@ static int recv_pkt(struct sk_buff *skb, local_skb->protocol = htons(ETH_P_IPV6); local_skb->pkt_type = PACKET_HOST; + local_skb->dev = dev; skb_set_transport_header(local_skb, sizeof(struct ipv6hdr)); @@ -335,6 +336,8 @@ static int recv_pkt(struct sk_buff *skb, if (!local_skb) goto drop; + local_skb->dev = dev; + ret = iphc_decompress(local_skb, dev, chan); if (ret < 0) { kfree_skb(local_skb); @@ -343,7 +346,6 @@ static int recv_pkt(struct sk_buff *skb, local_skb->protocol = htons(ETH_P_IPV6); local_skb->pkt_type = PACKET_HOST; - local_skb->dev = dev; if (give_skb_to_upper(local_skb, dev) != NET_RX_SUCCESS) {