From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: net/tcp: null-ptr-deref in __inet_lookup_listener/inet_exact_dif_match Date: Wed, 2 Nov 2016 12:31:20 -0600 Message-ID: References: <1478107305.7065.382.camel@edumazet-glaptop3.roam.corp.google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , netdev , LKML , Dmitry Vyukov , Alexander Potapenko , Kostya Serebryany , Eric Dumazet , syzkaller To: Eric Dumazet , Andrey Konovalov Return-path: In-Reply-To: <1478107305.7065.382.camel@edumazet-glaptop3.roam.corp.google.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 11/2/16 11:21 AM, Eric Dumazet wrote: > Thanks for your report. > > David, please take a look. > > TCP MD5 can call __inet_lookup_listener() with a NULL skb. interesting. I did not test md5 before sending, but doing so now I am not able to trigger the panic with any combination of passwords - correct, wrong, none, no listener, etc. perhaps I am missing a sysctl setting. Will send a fix. I see the call to __inet_lookup_listener with null skb. > > Bug added in commit a04a480d4392ea6efd117be2de564117b2a009c0