This is a note to let you know that I've just added the patch titled
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From foo@baz Wed Mar 28 18:38:30 CEST 2018
From: Eric Dumazet edumazet@google.com Date: Mon, 5 Mar 2018 08:51:03 -0800 Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
From: Eric Dumazet edumazet@google.com
[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
A tun device type can trivially be set to arbitrary value using TUNSETLINK ioctl().
Therefore, lowpan_device_event() must really check that ieee802154_ptr is not NULL.
Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null") Signed-off-by: Eric Dumazet edumazet@google.com Cc: Alexander Aring alex.aring@gmail.com Cc: Stefan Schmidt stefan@osg.samsung.com Reported-by: syzbot syzkaller@googlegroups.com Acked-by: Stefan Schmidt stefan@osg.samsung.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/ieee802154/6lowpan/core.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/ieee802154/6lowpan/core.c +++ b/net/ieee802154/6lowpan/core.c @@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(v static int lowpan_device_event(struct notifier_block *unused, unsigned long event, void *ptr) { - struct net_device *wdev = netdev_notifier_info_to_dev(ptr); + struct net_device *ndev = netdev_notifier_info_to_dev(ptr); + struct wpan_dev *wpan_dev;
- if (wdev->type != ARPHRD_IEEE802154) + if (ndev->type != ARPHRD_IEEE802154) + return NOTIFY_DONE; + wpan_dev = ndev->ieee802154_ptr; + if (!wpan_dev) return NOTIFY_DONE;
switch (event) { @@ -217,8 +221,8 @@ static int lowpan_device_event(struct no * also delete possible lowpan interfaces which belongs * to the wpan interface. */ - if (wdev->ieee802154_ptr->lowpan_dev) - lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL); + if (wpan_dev->lowpan_dev) + lowpan_dellink(wpan_dev->lowpan_dev, NULL); break; default: return NOTIFY_DONE;
Patches currently in stable-queue which might be from edumazet@google.com are
queue-4.14/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch queue-4.14/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch queue-4.14/l2tp-do-not-accept-arbitrary-sockets.patch queue-4.14/tcp-purge-write-queue-upon-aborting-the-connection.patch queue-4.14/net-use-skb_to_full_sk-in-skb_update_prio.patch queue-4.14/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch queue-4.14/tcp-reset-sk_send_head-in-tcp_write_queue_purge.patch
linux-stable-mirror@lists.linaro.org