On Thu, 2016-12-01 at 06:34 -0800, Eric Dumazet wrote: > On Thu, 2016-12-01 at 14:06 +0100, Artem Savkov wrote: > > segs needs to be checked for being NULL in ipv6_gso_segment() before calling > > skb_shinfo(segs), otherwise kernel can run into a NULL-pointer dereference: > > > > Signed-off-by: Artem Savkov <asav...@redhat.com> > > --- > > > > > diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c > > index 1fcf61f..89c59e6 100644 > > --- a/net/ipv6/ip6_offload.c > > +++ b/net/ipv6/ip6_offload.c > > @@ -99,7 +99,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff > > *skb, > > segs = ops->callbacks.gso_segment(skb, features); > > } > > > > - if (IS_ERR(segs)) > > + if (IS_ERR_OR_NULL(segs)) > > goto out; > > > > gso_partial = !!(skb_shinfo(segs)->gso_type & SKB_GSO_PARTIAL); > > Do you know when was this bug added ? > > Are you sure this is the right fix ? > > Which gso_segment() is returning NULL exactly ?
Oh never mind. This is the same fix than 576a30eb64534 but applied to IPv6. Thanks ! Acked-by: Eric Dumazet <eduma...@google.com>