[v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone

Message ID	20230315070621.447-1-jiasheng@iscas.ac.cn (mailing list archive)
State	Awaiting Upstream
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Jiasheng Jiang <jiasheng@iscas.ac.cn> To: simon.horman@corigine.com Cc: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jiasheng Jiang <jiasheng@iscas.ac.cn> Subject: [PATCH v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone Date: Wed, 15 Mar 2023 15:06:21 +0800 Message-Id: <20230315070621.447-1-jiasheng@iscas.ac.cn> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone \| expand [v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone

Message ID

20230315070621.447-1-jiasheng@iscas.ac.cn (mailing list archive)

State

Awaiting Upstream

Delegated to:

Netdev Maintainers

Headers

From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
To: simon.horman@corigine.com
Cc: marcel@holtmann.org, johan.hedberg@gmail.com, luiz.dentz@gmail.com,
        davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, linux-bluetooth@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jiasheng Jiang <jiasheng@iscas.ac.cn>
Subject: [PATCH v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone
Date: Wed, 15 Mar 2023 15:06:21 +0800
Message-Id: <20230315070621.447-1-jiasheng@iscas.ac.cn>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone | expand

Context	Check	Description
netdev/series_format	warning	Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 18 this patch: 18
netdev/cc_maintainers	fail	1 blamed authors not CCed: jukka.rissanen@linux.intel.com; 1 maintainers not CCed: jukka.rissanen@linux.intel.com
netdev/build_clang	success	Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 18 this patch: 18
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 28 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

warning

Single patches do not need cover letters; Target tree name not specified in the subject

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 18 this patch: 18

netdev/cc_maintainers

fail

1 blamed authors not CCed: jukka.rissanen@linux.intel.com; 1 maintainers not CCed: jukka.rissanen@linux.intel.com

netdev/build_clang

success

Errors and warnings before: 18 this patch: 18

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 18 this patch: 18

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 28 lines checked

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Jiasheng Jiang March 15, 2023, 7:06 a.m. UTC

Add the check for the return value of skb_clone since it may return NULL
pointer and cause NULL pointer dereference in send_pkt.

Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
---
Changelog:

v1 -> v2:

1. Modify the error handling in the loop.
---
 net/bluetooth/6lowpan.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Comments

Simon Horman March 17, 2023, 9:03 p.m. UTC | #1

On Wed, Mar 15, 2023 at 03:06:21PM +0800, Jiasheng Jiang wrote:
> Add the check for the return value of skb_clone since it may return NULL
> pointer and cause NULL pointer dereference in send_pkt.
> 
> Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
> Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> ---
> Changelog:
> 
> v1 -> v2:
> 
> 1. Modify the error handling in the loop.

I think that at a minimum this needs to be included in the patch description.
Or better, in it's own patch with it's own fixes tag.
It seems like a fundamental change to the error handling to me.

> ---
>  net/bluetooth/6lowpan.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
> index 4eb1b3ced0d2..55ae2ff40efb 100644
> --- a/net/bluetooth/6lowpan.c
> +++ b/net/bluetooth/6lowpan.c
> @@ -477,19 +477,25 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
>  			int ret;
>  
>  			local_skb = skb_clone(skb, GFP_ATOMIC);
> +			if (!local_skb) {
> +				err = -ENOMEM;
> +				goto out;
> +			}
>  
>  			BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
>  			       netdev->name,
>  			       &pentry->chan->dst, pentry->chan->dst_type,
>  			       &pentry->peer_addr, pentry->chan);
>  			ret = send_pkt(pentry->chan, local_skb, netdev);
> -			if (ret < 0)
> -				err = ret;
> -
>  			kfree_skb(local_skb);
> +			if (ret < 0) {
> +				err = ret;
> +				goto out;
> +			}
>  		}
>  	}
>  
> +out:
>  	rcu_read_unlock();
>  
>  	return err;
> -- 
> 2.25.1
>

diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 4eb1b3ced0d2..55ae2ff40efb 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -477,19 +477,25 @@  static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
 			int ret;
 
 			local_skb = skb_clone(skb, GFP_ATOMIC);
+			if (!local_skb) {
+				err = -ENOMEM;
+				goto out;
+			}
 
 			BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
 			       netdev->name,
 			       &pentry->chan->dst, pentry->chan->dst_type,
 			       &pentry->peer_addr, pentry->chan);
 			ret = send_pkt(pentry->chan, local_skb, netdev);
-			if (ret < 0)
-				err = ret;
-
 			kfree_skb(local_skb);
+			if (ret < 0) {
+				err = ret;
+				goto out;
+			}
 		}
 	}
 
+out:
 	rcu_read_unlock();
 
 	return err;

[v2] Bluetooth: 6LoWPAN: Add missing check for skb_clone

Checks

Commit Message

Comments

Patch