[3.5.y.z,extended,stable] Patch "af-packet: fix oops when socket is not present" has been added to staging queue

Submitted by Herton Ronaldo Krzesinski on Dec. 12, 2012, 5:11 a.m.


Message ID 1355289093-31378-1-git-send-email-herton.krzesinski@canonical.com
State New
Headers show

Commit Message

Herton Ronaldo Krzesinski Dec. 12, 2012, 5:11 a.m.
This is a note to let you know that I have just added a patch titled

    af-packet: fix oops when socket is not present

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 1aea079bb9a28e960d460d5c5ad5c1bd4e2a6b59 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Tue, 6 Nov 2012 02:10:10 +0000
Subject: [PATCH] af-packet: fix oops when socket is not present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit a3d744e995d2b936c500585ae39d99ee251c89b4 upstream.

Due to a NULL dereference, the following patch is causing oops
in normal trafic condition:

commit c0de08d04215031d68fa13af36f347a6cfa252ca
Author: Eric Leblond <eric@regit.org>
Date:   Thu Aug 16 22:02:58 2012 +0000

    af_packet: don't emit packet on orig fanout group

This buggy patch was a feature fix and has reached most stable

When skb->sk is NULL and when packet fanout is used, there is a
crash in match_fanout_group where skb->sk is accessed.
This patch fixes the issue by returning false as soon as the
socket is NULL: this correspond to the wanted behavior because
the kernel as to resend the skb to all the listening socket in
this case.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Patch hide | download patch | download mbox

diff --git a/net/core/dev.c b/net/core/dev.c
index 4ef7993..75845ba 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1642,7 +1642,7 @@  static inline int deliver_skb(struct sk_buff *skb,

 static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
-	if (ptype->af_packet_priv == NULL)
+	if (!ptype->af_packet_priv || !skb->sk)
 		return false;

 	if (ptype->id_match)