This is a note to let you know that I've just added the patch titled
tipc: Fix NULL pointer dereference in __tipc_sendstream()
to the 5.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tipc-fix-null-pointer-dereference-in-__tipc_sendstre.patch
and it can be found in the queue-5.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit ed1a8378cb5dee5efa09e36fe297b4e4c31faa94
Author: YueHaibing <yuehaibing@xxxxxxxxxx>
Date: Thu May 28 22:34:07 2020 +0800
tipc: Fix NULL pointer dereference in __tipc_sendstream()
[ Upstream commit 4c21daae3dbc9f8536cc18e6e53627821fa2c90c ]
tipc_sendstream() may send zero length packet, then tipc_msg_append()
do not alloc skb, skb_peek_tail() will get NULL, msg_set_ack_required
will trigger NULL pointer dereference.
Reported-by: syzbot+8eac6d030e7807c21d32@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 0a3e060f340d ("tipc: add test for Nagle algorithm effectiveness")
Signed-off-by: YueHaibing <yuehaibing@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 62fc871a8d673..f02f2abf6e3c0 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1589,8 +1589,12 @@ static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dlen)
tsk->pkt_cnt += skb_queue_len(txq);
} else {
skb = skb_peek_tail(txq);
- msg_set_ack_required(buf_msg(skb));
- tsk->expect_ack = true;
+ if (skb) {
+ msg_set_ack_required(buf_msg(skb));
+ tsk->expect_ack = true;
+ } else {
+ tsk->expect_ack = false;
+ }
tsk->msg_acc = 0;
tsk->pkt_cnt = 0;
}
