Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932809AbcLAPHH (ORCPT <rfc822;w@1wt.eu>);
        Thu, 1 Dec 2016 10:07:07 -0500
Received: from mx1.redhat.com ([209.132.183.28]:36716 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S932322AbcLAPHG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Dec 2016 10:07:06 -0500
Date: Thu, 1 Dec 2016 16:07:03 +0100
From: Artem Savkov <asavkov@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, jstancek@redhat.com,
        steffen.klassert@secunet.com, alexander.h.duyck@intel.com
Subject: Re: [PATCH] ip6_offload: check segs for NULL in ipv6_gso_segment.
Message-ID: <20161201150703.dv463hxgqajqo6pm@shodan.usersys.redhat.com>
References: <1480597564-32355-1-git-send-email-asavkov@redhat.com>
 <1480602847.18162.288.camel@edumazet-glaptop3.roam.corp.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1480602847.18162.288.camel@edumazet-glaptop3.roam.corp.google.com>
User-Agent: NeoMutt/20161126 (1.7.1)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 01 Dec 2016 15:07:05 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1386
Lines: 43

On Thu, Dec 01, 2016 at 06:34:07AM -0800, Eric Dumazet wrote:
> On Thu, 2016-12-01 at 14:06 +0100, Artem Savkov wrote:
> > segs needs to be checked for being NULL in ipv6_gso_segment() before calling
> > skb_shinfo(segs), otherwise kernel can run into a NULL-pointer dereference:
> 
> 
> > Signed-off-by: Artem Savkov <asavkov@redhat.com>
> > ---
> >  
> 
> > diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
> > index 1fcf61f..89c59e6 100644
> > --- a/net/ipv6/ip6_offload.c
> > +++ b/net/ipv6/ip6_offload.c
> > @@ -99,7 +99,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
> >  		segs = ops->callbacks.gso_segment(skb, features);
> >  	}
> >  
> > -	if (IS_ERR(segs))
> > +	if (IS_ERR_OR_NULL(segs))
> >  		goto out;
> >  
> >  	gso_partial = !!(skb_shinfo(segs)->gso_type & SKB_GSO_PARTIAL);
> 
> Do you know when was this bug added ?

It started to show up with 4.9-rc4, from what I see the culprit is
07b26c9 gso: Support partial splitting at the frag_list pointer

> Are you sure this is the right fix ?

I am not, but this would have the same behavior as pre-07b26c9 code and
IS_ERR_OR_NULL is used in ipv4's inet_gso_segment().

> Which gso_segment() is returning NULL exactly ?

Unfortunatelly I don't know that and I don't have a good reproducer, the
only way to reproduce this that I currently have is calling
virt-install.

-- 
Regards,
  Artem