[syzbot] general protection fault in sctp_rcv

[syzbot] general protection fault in sctp_rcv

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
Code: fb 03 0f 8e 51 01 00 00 e8 99 ac 17 f9 4c 01 ed e8 91 ac 17 f9 48 8d 7d 02 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ea
RSP: 0018:ffffc900000079c8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000fffffff2 RCX: dffffc0000000000
RDX: ffff88803d790000 RSI: ffffffff885e62cf RDI: 0000000000000002
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff885e6448 R11: 0000000000000000 R12: 000000000000050c
R13: ffff88803f42a0e4 R14: 0000000000000510 R15: ffff888070e2c500
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0dce1763ad CR3: 0000000027250000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
 ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
 ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
 dst_input include/net/dst.h:460 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5436
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5550
 process_backlog+0x2a5/0x6c0 net/core/dev.c:6427
 __napi_poll+0xaf/0x440 net/core/dev.c:6982
 napi_poll net/core/dev.c:7049 [inline]
 net_rx_action+0x801/0xb40 net/core/dev.c:7136
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 do_softirq.part.0+0xde/0x130 kernel/softirq.c:459
 </IRQ>
 do_softirq kernel/softirq.c:451 [inline]
 __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383
 spin_unlock_bh include/linux/spinlock.h:408 [inline]
 addrconf_dad_work+0x474/0x1340 net/ipv6/addrconf.c:4077
 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace 80d76c5102c944b0 ]---
RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
Code: fb 03 0f 8e 51 01 00 00 e8 99 ac 17 f9 4c 01 ed e8 91 ac 17 f9 48 8d 7d 02 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ea
RSP: 0018:ffffc900000079c8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000fffffff2 RCX: dffffc0000000000
RDX: ffff88803d790000 RSI: ffffffff885e62cf RDI: 0000000000000002
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff885e6448 R11: 0000000000000000 R12: 000000000000050c
R13: ffff88803f42a0e4 R14: 0000000000000510 R15: ffff888070e2c500
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0dce1763ad CR3: 0000000027250000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	fb                   	sti
   1:	03 0f                	add    (%rdi),%ecx
   3:	8e 51 01             	mov    0x1(%rcx),%ss
   6:	00 00                	add    %al,(%rax)
   8:	e8 99 ac 17 f9       	callq  0xf917aca6
   d:	4c 01 ed             	add    %r13,%rbp
  10:	e8 91 ac 17 f9       	callq  0xf917aca6
  15:	48 8d 7d 02          	lea    0x2(%rbp),%rdi
  19:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  20:	fc ff df
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 14 08          	movzbl (%rax,%rcx,1),%edx <-- trapping instruction
  2e:	48 89 f8             	mov    %rdi,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 01             	add    $0x1,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 08                	jl     0x43
  3b:	84 d2                	test   %dl,%dl
  3d:	0f                   	.byte 0xf
  3e:	85 ea                	test   %ebp,%edx


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] general protection fault in sctp_rcv

[Xin Long]

On Tue, Sep 21, 2021 at 12:09 PM syzbot
<syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
> git tree:       net
> console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
> dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
>
> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Workqueue: ipv6_addrconf addrconf_dad_work
> RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
by anyway, checking if skb_header_pointer() return NULL is always needed:
@@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
                ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);

                /* Break out if chunk length is less then minimal. */
-               if (ntohs(ch->length) < sizeof(_ch))
+               if (!ch || ntohs(ch->length) < sizeof(_ch))
                        break;

> RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
> Code: fb 03 0f 8e 51 01 00 00 e8 99 ac 17 f9 4c 01 ed e8 91 ac 17 f9 48 8d 7d 02 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ea
> RSP: 0018:ffffc900000079c8 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00000000fffffff2 RCX: dffffc0000000000
> RDX: ffff88803d790000 RSI: ffffffff885e62cf RDI: 0000000000000002
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffffff885e6448 R11: 0000000000000000 R12: 000000000000050c
> R13: ffff88803f42a0e4 R14: 0000000000000510 R15: ffff888070e2c500
> FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f0dce1763ad CR3: 0000000027250000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <IRQ>
>  sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
>  ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
>  ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
>  NF_HOOK include/linux/netfilter.h:307 [inline]
>  NF_HOOK include/linux/netfilter.h:301 [inline]
>  ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
>  dst_input include/net/dst.h:460 [inline]
>  ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
>  NF_HOOK include/linux/netfilter.h:307 [inline]
>  NF_HOOK include/linux/netfilter.h:301 [inline]
>  ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
>  __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5436
>  __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5550
>  process_backlog+0x2a5/0x6c0 net/core/dev.c:6427
>  __napi_poll+0xaf/0x440 net/core/dev.c:6982
>  napi_poll net/core/dev.c:7049 [inline]
>  net_rx_action+0x801/0xb40 net/core/dev.c:7136
>  __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
>  do_softirq.part.0+0xde/0x130 kernel/softirq.c:459
>  </IRQ>
>  do_softirq kernel/softirq.c:451 [inline]
>  __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383
>  spin_unlock_bh include/linux/spinlock.h:408 [inline]
>  addrconf_dad_work+0x474/0x1340 net/ipv6/addrconf.c:4077
>  process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
>  worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
>  kthread+0x3e5/0x4d0 kernel/kthread.c:319
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> Modules linked in:
> ---[ end trace 80d76c5102c944b0 ]---
> RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
> RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
> Code: fb 03 0f 8e 51 01 00 00 e8 99 ac 17 f9 4c 01 ed e8 91 ac 17 f9 48 8d 7d 02 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ea
> RSP: 0018:ffffc900000079c8 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00000000fffffff2 RCX: dffffc0000000000
> RDX: ffff88803d790000 RSI: ffffffff885e62cf RDI: 0000000000000002
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffffff885e6448 R11: 0000000000000000 R12: 000000000000050c
> R13: ffff88803f42a0e4 R14: 0000000000000510 R15: ffff888070e2c500
> FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f0dce1763ad CR3: 0000000027250000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
>    0:   fb                      sti
>    1:   03 0f                   add    (%rdi),%ecx
>    3:   8e 51 01                mov    0x1(%rcx),%ss
>    6:   00 00                   add    %al,(%rax)
>    8:   e8 99 ac 17 f9          callq  0xf917aca6
>    d:   4c 01 ed                add    %r13,%rbp
>   10:   e8 91 ac 17 f9          callq  0xf917aca6
>   15:   48 8d 7d 02             lea    0x2(%rbp),%rdi
>   19:   48 b9 00 00 00 00 00    movabs $0xdffffc0000000000,%rcx
>   20:   fc ff df
>   23:   48 89 f8                mov    %rdi,%rax
>   26:   48 c1 e8 03             shr    $0x3,%rax
> * 2a:   0f b6 14 08             movzbl (%rax,%rcx,1),%edx <-- trapping instruction
>   2e:   48 89 f8                mov    %rdi,%rax
>   31:   83 e0 07                and    $0x7,%eax
>   34:   83 c0 01                add    $0x1,%eax
>   37:   38 d0                   cmp    %dl,%al
>   39:   7c 08                   jl     0x43
>   3b:   84 d2                   test   %dl,%dl
>   3d:   0f                      .byte 0xf
>   3e:   85 ea                   test   %ebp,%edx
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] general protection fault in sctp_rcv

[Dan Carpenter]

On Wed, Sep 22, 2021 at 05:18:29PM +0800, Xin Long wrote:
> On Tue, Sep 21, 2021 at 12:09 PM syzbot
> <syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
> > git tree:       net
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
> > dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
> >
> > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Workqueue: ipv6_addrconf addrconf_dad_work
> > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
> by anyway, checking if skb_header_pointer() return NULL is always needed:
> @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
>                 ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);
> 
>                 /* Break out if chunk length is less then minimal. */
> -               if (ntohs(ch->length) < sizeof(_ch))
> +               if (!ch || ntohs(ch->length) < sizeof(_ch))
>                         break;
> 

The skb_header_pointer() function is annotated as __must_check but that
only means you have to use the return value.  These things would be
better as a Coccinelle or Smatch check.

I will create a Smatch warning for this.

regards,
dan carpenter

Re: [syzbot] general protection fault in sctp_rcv

[Dan Carpenter]

On Thu, Sep 23, 2021 at 12:34:42PM +0300, Dan Carpenter wrote:
> On Wed, Sep 22, 2021 at 05:18:29PM +0800, Xin Long wrote:
> > On Tue, Sep 21, 2021 at 12:09 PM syzbot
> > <syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
> > > git tree:       net
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
> > >
> > > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
> > by anyway, checking if skb_header_pointer() return NULL is always needed:
> > @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
> >                 ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);
> > 
> >                 /* Break out if chunk length is less then minimal. */
> > -               if (ntohs(ch->length) < sizeof(_ch))
> > +               if (!ch || ntohs(ch->length) < sizeof(_ch))
> >                         break;
> > 
> 
> The skb_header_pointer() function is annotated as __must_check but that
> only means you have to use the return value.  These things would be
> better as a Coccinelle or Smatch check.
> 
> I will create a Smatch warning for this.

These are the Smatch warnings for this:

net/sctp/input.c:705 sctp_rcv_ootb() error: skb_header_pointer() returns NULL
net/ipv6/netfilter/ip6t_rt.c:111 rt_mt6() error: skb_header_pointer() returns NULL
net/ipv4/icmp.c:1076 icmp_build_probe() error: skb_header_pointer() returns NULL
net/ipv4/icmp.c:1089 icmp_build_probe() error: skb_header_pointer() returns NULL

regards,
dan carpenter

Re: [syzbot] general protection fault in sctp_rcv

[Xin Long]

On Sat, Sep 25, 2021 at 1:14 AM Dan Carpenter <dan.carpenter@oracle.com> wrote:
>
> On Thu, Sep 23, 2021 at 12:34:42PM +0300, Dan Carpenter wrote:
> > On Wed, Sep 22, 2021 at 05:18:29PM +0800, Xin Long wrote:
> > > On Tue, Sep 21, 2021 at 12:09 PM syzbot
> > > <syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
> > > > git tree:       net
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
> > > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > >
> > > > Unfortunately, I don't have any reproducer for this issue yet.
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
> > > >
> > > > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > > CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
> > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
> > > by anyway, checking if skb_header_pointer() return NULL is always needed:
> > > @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
> > >                 ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);
> > >
> > >                 /* Break out if chunk length is less then minimal. */
> > > -               if (ntohs(ch->length) < sizeof(_ch))
> > > +               if (!ch || ntohs(ch->length) < sizeof(_ch))
> > >                         break;
> > >
> >
> > The skb_header_pointer() function is annotated as __must_check but that
> > only means you have to use the return value.  These things would be
> > better as a Coccinelle or Smatch check.
> >
> > I will create a Smatch warning for this.
>
> These are the Smatch warnings for this:
>
> net/sctp/input.c:705 sctp_rcv_ootb() error: skb_header_pointer() returns NULL
> net/ipv6/netfilter/ip6t_rt.c:111 rt_mt6() error: skb_header_pointer() returns NULL
> net/ipv4/icmp.c:1076 icmp_build_probe() error: skb_header_pointer() returns NULL
> net/ipv4/icmp.c:1089 icmp_build_probe() error: skb_header_pointer() returns NULL
Will post follow-ups for rt_mt6() and icmp_build_probe() too.

Thanks!
>
> regards,
> dan carpenter
>