From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755420AbcKVM0u (ORCPT ); Tue, 22 Nov 2016 07:26:50 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:46885 "EHLO out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755317AbcKVM0s (ORCPT ); Tue, 22 Nov 2016 07:26:48 -0500 X-ME-Sender: X-Sasl-enc: 6XOV44oVQKAWkxVWQIVJ0Q7jbqJSdwY61loWn4LGeNY+ 1479817607 Subject: Re: [PATCH] ipv6:ipv6_pinfo dereferenced after NULL check To: Manjeet Pawar , davem@davemloft.net, kuznet@ms2.inr.ac.ru, jmorris@namei.org, yoshfuji@linux-ipv6.org, kaber@trash.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <1479796024-39418-1-git-send-email-manjeet.p@samsung.com> Cc: pankaj.m@samsung.com, ajeet.y@samsung.com, Rohit Thapliyal From: Hannes Frederic Sowa Message-ID: <611c167e-cef4-691b-f154-1b6b6aa86e53@stressinduktion.org> Date: Tue, 22 Nov 2016 13:26:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <1479796024-39418-1-git-send-email-manjeet.p@samsung.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.11.2016 07:27, Manjeet Pawar wrote: > From: Rohit Thapliyal > > np checked for NULL and then dereferenced. It should be modified > for NULL case. > > Signed-off-by: Rohit Thapliyal > Signed-off-by: Manjeet Pawar > --- > net/ipv6/ip6_output.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > index 1dfc402..c2afa14 100644 > --- a/net/ipv6/ip6_output.c > +++ b/net/ipv6/ip6_output.c > @@ -205,14 +205,15 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6, > /* > * Fill in the IPv6 header > */ > - if (np) > + if (np) { > hlimit = np->hop_limit; > + ip6_flow_hdr( > + hdr, tclass, ip6_make_flowlabel( > + net, skb, fl6->flowlabel, > + np->autoflowlabel, fl6)); > + } > if (hlimit < 0) > hlimit = ip6_dst_hoplimit(dst); > > - ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel, > - np->autoflowlabel, fl6)); > - > hdr->payload_len = htons(seg_len); > hdr->nexthdr = proto; > hdr->hop_limit = hlimit; > We always should initialize hdr and not skip the ip6_flow_hdr call. Do you saw a bug or did you find this by code review? I wonder if np can actually be NULL at this point. Maybe we can just eliminate the NULL check. Thanks, Hannes