Mainline commit 89c22d8c3b27 ("net: Fix skb csum races when peeking") backport into pre-3.19 stable kernels introduces a regression causing null pointer dererefence in skb_copy_and_csum_datagram_iovec(). This commit only sets CHECKSUM_UNNECESSARY for non-shared skb, allowing udp_recvmsg() to take the "else" branch of if (skb_csum_unnecessary(skb)) when called with null iovec (and len=0, e.g. when peeking for datagram size first). The problem is that unlike skb_copy_and_csum_datagram_msg() called in this path since 3.19, skb_copy_and_csum_datagram_iovec() does not handle null iov parameter and always dereferences iov->iov_len. This is especially harmful when udp_recvmsg() is called in kernel context, e.g. from kernel nfsd. Band-aid skb_copy_and_csum_datagram_iovec() by testing iov for null and only checking the checksum in this case. Signed-off-by: Michal Kubecek <mkubecek@xxxxxxx> --- net/core/datagram.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/core/datagram.c b/net/core/datagram.c index 3a402a7b20e9..f8b38794fa9b 100644 --- a/net/core/datagram.c +++ b/net/core/datagram.c @@ -799,6 +799,13 @@ int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, if (!chunk) return 0; + if (!iov) { + if (__skb_checksum_complete(skb)) + goto csum_error; + else + return 0; + } + /* Skip filled elements. * Pretty silly, look at memcpy_toiovec, though 8) */ -- 2.6.2 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html