This is a note to let you know that I've just added the patch titled
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Wed Mar 28 18:38:30 CEST 2018
From: Eric Dumazet <edumazet@xxxxxxxxxx>
Date: Mon, 5 Mar 2018 08:51:03 -0800
Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
From: Eric Dumazet <edumazet@xxxxxxxxxx>
[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
A tun device type can trivially be set to arbitrary value using
TUNSETLINK ioctl().
Therefore, lowpan_device_event() must really check that ieee802154_ptr
is not NULL.
Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null")
Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: Alexander Aring <alex.aring@xxxxxxxxx>
Cc: Stefan Schmidt <stefan@xxxxxxxxxxxxxxx>
Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
Acked-by: Stefan Schmidt <stefan@xxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ieee802154/6lowpan/core.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/ieee802154/6lowpan/core.c
+++ b/net/ieee802154/6lowpan/core.c
@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(v
static int lowpan_device_event(struct notifier_block *unused,
unsigned long event, void *ptr)
{
- struct net_device *wdev = netdev_notifier_info_to_dev(ptr);
+ struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
+ struct wpan_dev *wpan_dev;
- if (wdev->type != ARPHRD_IEEE802154)
+ if (ndev->type != ARPHRD_IEEE802154)
+ return NOTIFY_DONE;
+ wpan_dev = ndev->ieee802154_ptr;
+ if (!wpan_dev)
return NOTIFY_DONE;
switch (event) {
@@ -217,8 +221,8 @@ static int lowpan_device_event(struct no
* also delete possible lowpan interfaces which belongs
* to the wpan interface.
*/
- if (wdev->ieee802154_ptr->lowpan_dev)
- lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL);
+ if (wpan_dev->lowpan_dev)
+ lowpan_dellink(wpan_dev->lowpan_dev, NULL);
break;
default:
return NOTIFY_DONE;
Patches currently in stable-queue which might be from edumazet@xxxxxxxxxx are
queue-4.14/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
queue-4.14/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch
queue-4.14/l2tp-do-not-accept-arbitrary-sockets.patch
queue-4.14/tcp-purge-write-queue-upon-aborting-the-connection.patch
queue-4.14/net-use-skb_to_full_sk-in-skb_update_prio.patch
queue-4.14/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
queue-4.14/tcp-reset-sk_send_head-in-tcp_write_queue_purge.patch