From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:42868 "EHLO mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753141AbcCATJe (ORCPT ); Tue, 1 Mar 2016 14:09:34 -0500 Received: from pmta03.dal05.mailchimp.com (127.0.0.1) by mail333.us4.mandrillapp.com id hqnkeq174noh for ; Tue, 1 Mar 2016 19:09:33 +0000 (envelope-from ) From: Subject: Patch "Bluetooth: 6lowpan: Fix kernel NULL pointer dereferences" has been added to the 4.4-stable tree To: , , , , Cc: , Message-Id: <1456859371255121@kroah.com> Date: Tue, 01 Mar 2016 19:09:32 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled Bluetooth: 6lowpan: Fix kernel NULL pointer dereferences to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bluetooth-6lowpan-fix-kernel-null-pointer-dereferences.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 4c58f3282e3de43d34f8955f8eca676294380bf9 Mon Sep 17 00:00:00 2001 From: Glenn Ruben Bakke Date: Wed, 13 Jan 2016 16:41:42 +0100 Subject: Bluetooth: 6lowpan: Fix kernel NULL pointer dereferences From: Glenn Ruben Bakke commit 4c58f3282e3de43d34f8955f8eca676294380bf9 upstream. The fixes provided in this patch assigns a valid net_device structure to skb before dispatching it for further processing. Scenario #1: ============ Bluetooth 6lowpan receives an uncompressed IPv6 header, and dispatches it to netif. The following error occurs: Null pointer dereference error #1 crash log: [ 845.854013] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 [ 845.855785] IP: [] enqueue_to_backlog+0x56/0x240 ... [ 845.909459] Call Trace: [ 845.911678] [] netif_rx_internal+0x44/0xf0 The first modification fixes the NULL pointer dereference error by assigning dev to the local_skb in order to set a valid net_device before processing the skb by netif_rx_ni(). Scenario #2: ============ Bluetooth 6lowpan receives an UDP compressed message which needs further decompression by nhc_udp. The following error occurs: Null pointer dereference error #2 crash log: [ 63.295149] BUG: unable to handle kernel NULL pointer dereference at 0000000000000840 [ 63.295931] IP: [] udp_uncompress+0x320/0x626 [nhc_udp] The second modification fixes the NULL pointer dereference error by assigning dev to the local_skb in the case of a udp compressed packet. The 6lowpan udp_uncompress function expects that the net_device is set in the skb when checking lltype. Signed-off-by: Glenn Ruben Bakke Signed-off-by: Lukasz Duda Acked-by: Jukka Rissanen Signed-off-by: Johan Hedberg Signed-off-by: Greg Kroah-Hartman --- net/bluetooth/6lowpan.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -317,6 +317,7 @@ static int recv_pkt(struct sk_buff *skb, local_skb->protocol = htons(ETH_P_IPV6); local_skb->pkt_type = PACKET_HOST; + local_skb->dev = dev; skb_set_transport_header(local_skb, sizeof(struct ipv6hdr)); @@ -335,6 +336,8 @@ static int recv_pkt(struct sk_buff *skb, if (!local_skb) goto drop; + local_skb->dev = dev; + ret = iphc_decompress(local_skb, dev, chan); if (ret < 0) { kfree_skb(local_skb); @@ -343,7 +346,6 @@ static int recv_pkt(struct sk_buff *skb, local_skb->protocol = htons(ETH_P_IPV6); local_skb->pkt_type = PACKET_HOST; - local_skb->dev = dev; if (give_skb_to_upper(local_skb, dev) != NET_RX_SUCCESS) { Patches currently in stable-queue which might be from glenn.ruben.bakke@nordicsemi.no are queue-4.4/bluetooth-6lowpan-fix-kernel-null-pointer-dereferences.patch queue-4.4/bluetooth-6lowpan-fix-handling-of-uncompressed-ipv6-packets.patch