From patchwork Wed Sep 28 10:51:58 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 116752 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 5ACB8B6F7F for ; Wed, 28 Sep 2011 20:49:17 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752973Ab1I1Ks6 (ORCPT ); Wed, 28 Sep 2011 06:48:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:13544 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752693Ab1I1Ks4 (ORCPT ); Wed, 28 Sep 2011 06:48:56 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p8SAmVEo022549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Sep 2011 06:48:31 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p8SAmUte032071; Wed, 28 Sep 2011 06:48:31 -0400 Received: from dhcp-91-7.nay.redhat.com.englab.nay.redhat.com (dhcp-8-146.nay.redhat.com [10.66.8.146]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id p8SAmQhZ012163; Wed, 28 Sep 2011 06:48:27 -0400 Message-ID: <4E82FC4E.5010101@redhat.com> Date: Wed, 28 Sep 2011 18:51:58 +0800 From: Jason Wang User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110126 Red Hat/3.1.8-1.el6 Thunderbird/3.1.8 MIME-Version: 1.0 To: netdev@vger.kernel.org, eric.dumazet@gmail.com, "David S. Miller" , linux-kernel@vger.kernel.org, Greg KH , stable@kernel.org CC: "Michael S. Tsirkin" , Amos Kong Subject: Possible NULL dereference caused by -stable commit ef81bb40bf15f350fe865f31fa42f1082772a576 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi all: A possible NULL dereference were noticed by the stable commit ef81bb40bf15f350fe865f31fa42f1082772a576 (which is a backport of 87c48fa3b4630905f98268dde838ee43626a060c). The case happens when bridge froward a packet from guest to a physical nic, at this time no route is attached to the skb which may lead a NULL dereference in ipv6_select_ident(). -Next version have this check so it is fine. The following patch may be used to avoid this but may also lead the ip identification predicable, and this defect is also exist -next version when no route because we still depends on a global variable to generate the identification. Any thought on this? Thanks. int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *)) --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 4ea6e21..414e2f4 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -622,7 +622,9 @@ static u32 __ipv6_select_ident(const struct in6_addr *addr) void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) { - fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr)); + const struct in6_addr addr = IN6ADDR_ANY_INIT; + fhdr->identification = + htonl(__ipv6_select_ident(rt ? &rt->rt6i_dst.addr : &addr)); }