Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2350772pxb; Mon, 20 Sep 2021 19:46:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwHHtypbSpmae18xxz35htj/vTiIy4cAJOVmztPGm4p1Mpis7OHPCzzYa9N/3q1o0twEe4K X-Received: by 2002:a17:906:681:: with SMTP id u1mr31544663ejb.499.1632192370369; Mon, 20 Sep 2021 19:46:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192370; cv=none; d=google.com; s=arc-20160816; b=hVt4nzeglCLnLidwuPYQCcW5UNOtPOB3lfP780eCKvGme6e+p+yofqO87UmHGcrx/A 5JOpDJUqQmDvEMgCTow+iME+FkquzDULOU37x/YjLbohVfiTUFHBaVmklDQiQRdHpdwU Ke/sHnk0aSxe3kXmKP0kG08dXXEjxbTghSPCT8WK+rYb6SDymwqPAoCspY8MhbUw5VFJ LpTX0YnK1pn0BIOXKqUDDk6vJyYHPfa+TgfAW1qVawZMk6o+Ferz7OlGZIuBgg0TG4gp MELr97/ZXXEURvPjAgBU406FUVaitE0FPcJzLUJP8rwRtczisla3g9+eF1L1Rh7aS95d VCYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=awV1aYbHYhwHFcL9U80cdvo9Nmpfxp8HvzwEwxrHG0w=; b=t8Yvju4pTUGs8v2wXzamdwBXWJLOq7V2ID6s6+bgMRU1L5zGiMdT6Vb7QtWyNeMfqL FBsqcWVWQHDldUKxfwljfKHTleGOTX5ldKsC0lkHHDBGCTOV215XrCIx+4fo2jCMXwbq gN/DyDLrvUEkZHp909tNKgKACUAACV7NoKItjySkfcOOVtTNuHzZ5+FFaY9dOkiCHU82 CQi7VmQD9Y/oF/58y8HccvdLRG1n5K0qpq3bz6RMid3HtRtd5xvyb7Oi5uT4q03bzwg3 T0zDXQ1ZpeYil4lirFwa0NLw7ldmej2DXmaS+MuZ4yQFpwDiclXmv4gX6nl3InESkOVw WCZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zJuF+9Op; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i25si19517239ejd.625.2021.09.20.19.45.47; Mon, 20 Sep 2021 19:46:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zJuF+9Op; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351701AbhITSWl (ORCPT + 99 others); Mon, 20 Sep 2021 14:22:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:37204 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1376679AbhITSOI (ORCPT ); Mon, 20 Sep 2021 14:14:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C965761401; Mon, 20 Sep 2021 17:21:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632158471; bh=fE1o4jHCk4lA44B02vJseXJKWuRTeDMS3VaFxh/kDUU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zJuF+9OpongsywaW9F6g7YorwWOQFTd2RROBoBNUvM7K/UQ+FPqhVAP/ylAa63vJy jf4jUJGQY2i6sSy3C+GS7YSqJxvSz52DUstGJBt0qHSiPjYiW9aKfBUzLAGMkuoXGr /sCPasDFkjw0TYXoZWr9p+hjH9HXC2v8XpAR2sPM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Abaci , Michael Wang , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 171/260] net: fix NULL pointer reference in cipso_v4_doi_free Date: Mon, 20 Sep 2021 18:43:09 +0200 Message-Id: <20210920163936.892692782@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163931.123590023@linuxfoundation.org> References: <20210920163931.123590023@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: 王贇 [ Upstream commit 733c99ee8be9a1410287cdbb943887365e83b2d6 ] In netlbl_cipsov4_add_std() when 'doi_def->map.std' alloc failed, we sometime observe panic: BUG: kernel NULL pointer dereference, address: ... RIP: 0010:cipso_v4_doi_free+0x3a/0x80 ... Call Trace: netlbl_cipsov4_add_std+0xf4/0x8c0 netlbl_cipsov4_add+0x13f/0x1b0 genl_family_rcv_msg_doit.isra.15+0x132/0x170 genl_rcv_msg+0x125/0x240 This is because in cipso_v4_doi_free() there is no check on 'doi_def->map.std' when 'doi_def->type' equal 1, which is possibe, since netlbl_cipsov4_add_std() haven't initialize it before alloc 'doi_def->map.std'. This patch just add the check to prevent panic happen for similar cases. Reported-by: Abaci Signed-off-by: Michael Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netlabel/netlabel_cipso_v4.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 8cd3daf0e3db..1778e4e8ce24 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c @@ -144,8 +144,8 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, return -ENOMEM; doi_def->map.std = kzalloc(sizeof(*doi_def->map.std), GFP_KERNEL); if (doi_def->map.std == NULL) { - ret_val = -ENOMEM; - goto add_std_failure; + kfree(doi_def); + return -ENOMEM; } doi_def->type = CIPSO_V4_MAP_TRANS; -- 2.30.2