Commit d16207f9 authored by Taehee Yoo's avatar Taehee Yoo Committed by Jakub Kicinski
Browse files

amt: fix possible null-ptr-deref in amt_rcv() 



When amt interface receives amt message, it tries to obtain amt private
data from sock.
If there is no amt private data, it frees an skb immediately.
After kfree_skb(), it increases the rx_dropped stats.
But in order to use rx_dropped, amt private data is needed.
So, it makes amt_rcv() to do not increase rx_dropped stats when it can
not obtain amt private data.

Reported-by: default avatarkernel test robot <lkp@intel.com>
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Fixes: 1a1a0e80 ("amt: fix possible memory leak in amt_rcv()")
Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent f55a0707

drivers/net/amt.c

+2 −1
Original line number Diff line number Diff line
@@ -2698,7 +2698,8 @@ static int amt_rcv(struct sock *sk, struct sk_buff *skb) 
	amt = rcu_dereference_sk_user_data(sk);

	if (!amt) {

		err = true;

		goto drop;

		kfree_skb(skb);

		goto out;

	}



	skb->dev = amt->dev;