Hi Yue,
Thanks for your patch! Yesterday, I also sent a patch to "tipc-discussion" to solve this issue... Actually, the 'tipc_msg_append()' needs to be fixed instead. In fact, we never expect the 'txq' to be empty, otherwise the crash will still happen but at another place. BR/Tuong -----Original Message----- From: YueHaibing <yuehaib...@huawei.com> Sent: Thursday, May 28, 2020 9:34 PM To: jma...@redhat.com; ying....@windriver.com; da...@davemloft.net; k...@kernel.org; Tuong Tong Lien <tuong.t.l...@dektech.com.au> Cc: net...@vger.kernel.org; tipc-discussion@lists.sourceforge.net; linux-ker...@vger.kernel.org; YueHaibing <yuehaib...@huawei.com> Subject: [PATCH net-next] tipc: Fix NULL pointer dereference in __tipc_sendstream() tipc_sendstream() may send zero length packet, then tipc_msg_append() do not alloc skb, skb_peek_tail() will get NULL, msg_set_ack_required will trigger NULL pointer dereference. Reported-by: syzbot+8eac6d030e7807c21...@syzkaller.appspotmail.com<mailto:syzbot+8eac6d030e7807c21...@syzkaller.appspotmail.com> Fixes: 0a3e060f340d ("tipc: add test for Nagle algorithm effectiveness") Signed-off-by: YueHaibing <yuehaib...@huawei.com<mailto:yuehaib...@huawei.com>> --- net/tipc/socket.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index d6b67d07d22e..2943561399f1 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1588,8 +1588,12 @@ static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dlen) tsk->pkt_cnt += skb_queue_len(txq); } else { skb = skb_peek_tail(txq); - msg_set_ack_required(buf_msg(skb)); - tsk->expect_ack = true; + if (skb) { + msg_set_ack_required(buf_msg(skb)); + tsk->expect_ack = true; + } else { + tsk->expect_ack = false; + } tsk->msg_acc = 0; tsk->pkt_cnt = 0; } -- 2.17.1 _______________________________________________ tipc-discussion mailing list tipc-discussion@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tipc-discussion
