Commit 46ef5b8
ip6_gre: fix null-ptr-deref in ip6gre_init_net()
KASAN report null-ptr-deref error when register_netdev() failed:
KASAN: null-ptr-deref in range [0x00000000000003c0-0x00000000000003c7]
CPU: 2 PID: 422 Comm: ip Not tainted 5.8.0-rc4+ Freescale#12
Call Trace:
ip6gre_init_net+0x4ab/0x580
? ip6gre_tunnel_uninit+0x3f0/0x3f0
ops_init+0xa8/0x3c0
setup_net+0x2de/0x7e0
? rcu_read_lock_bh_held+0xb0/0xb0
? ops_init+0x3c0/0x3c0
? kasan_unpoison_shadow+0x33/0x40
? __kasan_kmalloc.constprop.0+0xc2/0xd0
copy_net_ns+0x27d/0x530
create_new_namespaces+0x382/0xa30
unshare_nsproxy_namespaces+0xa1/0x1d0
ksys_unshare+0x39c/0x780
? walk_process_tree+0x2a0/0x2a0
? trace_hardirqs_on+0x4a/0x1b0
? _raw_spin_unlock_irq+0x1f/0x30
? syscall_trace_enter+0x1a7/0x330
? do_syscall_64+0x1c/0xa0
__x64_sys_unshare+0x2d/0x40
do_syscall_64+0x56/0xa0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
ip6gre_tunnel_uninit() has set 'ign->fb_tunnel_dev' to NULL, later
access to ign->fb_tunnel_dev cause null-ptr-deref. Fix it by saving
'ign->fb_tunnel_dev' to local variable ndev.
Fixes: dafabb6 ("ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()")
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: Wei Yongjun <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>1 parent e048401 commit 46ef5b8
1 file changed
Lines changed: 6 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1562 | 1562 | | |
1563 | 1563 | | |
1564 | 1564 | | |
| 1565 | + | |
1565 | 1566 | | |
1566 | 1567 | | |
1567 | 1568 | | |
1568 | 1569 | | |
1569 | | - | |
1570 | | - | |
1571 | | - | |
1572 | | - | |
| 1570 | + | |
| 1571 | + | |
| 1572 | + | |
1573 | 1573 | | |
1574 | 1574 | | |
1575 | 1575 | | |
| 1576 | + | |
1576 | 1577 | | |
1577 | 1578 | | |
1578 | 1579 | | |
| |||
1592 | 1593 | | |
1593 | 1594 | | |
1594 | 1595 | | |
1595 | | - | |
| 1596 | + | |
1596 | 1597 | | |
1597 | 1598 | | |
1598 | 1599 | | |
| |||
0 commit comments