Message-ID: <1480605562.18162.292.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: Re: [PATCH] ip6_offload: check segs for NULL in ipv6_gso_segment.
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Artem Savkov <asavkov@redhat.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, jstancek@redhat.com,
        steffen.klassert@secunet.com, alexander.h.duyck@intel.com
Date: Thu, 01 Dec 2016 07:19:22 -0800
In-Reply-To: <1480602847.18162.288.camel@edumazet-glaptop3.roam.corp.google.com>
References: <1480597564-32355-1-git-send-email-asavkov@redhat.com>
         <1480602847.18162.288.camel@edumazet-glaptop3.roam.corp.google.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1091
Lines: 39

On Thu, 2016-12-01 at 06:34 -0800, Eric Dumazet wrote:
> On Thu, 2016-12-01 at 14:06 +0100, Artem Savkov wrote:
> > segs needs to be checked for being NULL in ipv6_gso_segment() before calling
> > skb_shinfo(segs), otherwise kernel can run into a NULL-pointer dereference:
> 
> 
> > Signed-off-by: Artem Savkov <asavkov@redhat.com>
> > ---
> >  
> 
> > diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
> > index 1fcf61f..89c59e6 100644
> > --- a/net/ipv6/ip6_offload.c
> > +++ b/net/ipv6/ip6_offload.c
> > @@ -99,7 +99,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
> >  		segs = ops->callbacks.gso_segment(skb, features);
> >  	}
> >  
> > -	if (IS_ERR(segs))
> > +	if (IS_ERR_OR_NULL(segs))
> >  		goto out;
> >  
> >  	gso_partial = !!(skb_shinfo(segs)->gso_type & SKB_GSO_PARTIAL);
> 
> Do you know when was this bug added ?
> 
> Are you sure this is the right fix ?
> 
> Which gso_segment() is returning NULL exactly ?

Oh never mind.

This is the same fix than 576a30eb64534 but applied to IPv6.

Thanks !

Acked-by: Eric Dumazet <edumazet@google.com>