Function nlmsg_new() will return a NULL pointer if there is no enough memory. In function tipc_nl_node_get_monitor(), the return value of nlmsg_new() is not checked (see line 2100), which may result in bad memory access. tipc_nl_node_get_monitor @@ net/tipc/node.c 2094 int tipc_nl_node_get_monitor(struct sk_buff *skb, struct genl_info *info) 2095 { 2096 struct net *net = sock_net(skb->sk); 2097 struct tipc_nl_msg msg; 2098 int err; 2099 2100 msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2101 msg.portid = info->snd_portid; 2102 msg.seq = info->snd_seq; 2103 2104 err = __tipc_nl_add_monitor_prop(net, &msg); 2105 if (err) { 2106 nlmsg_free(msg.skb); 2107 return err; 2108 } 2109 2110 return genlmsg_reply(msg.skb, info); 2111 } Generally, the return value of nlmsg_new() should be checked against NULL, as follows. nfc_genl_target_lost @@ net/nfc/netlink.c: 213 int nfc_genl_target_lost(struct nfc_dev *dev, u32 target_idx) 214 { 215 struct sk_buff *msg; 216 void *hdr; 217 218 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 219 if (!msg) 220 return -ENOMEM; ... 237 nla_put_failure: 238 genlmsg_cancel(msg, hdr); 239 free_msg: 240 nlmsg_free(msg); 241 return -EMSGSIZE; 242 } Thanks very much for your attention! Pan Bian
Created attachment 256471 [details] The patch fixes the bug The patch has been merged into the latest version of the Linux kernel. So I will close the bug.