Function nal_reserve() will return NULL if the tailroom of skb is insufficient, so the return value shall be checked against NULL before used. But in function cgroupstats_user_cmd(), the return value of nla_reserve()(called at kernel/taskstats.c:430) is used without NULL check. The related codes are as following. cgroupstats_user_cmd @@kernel/taskstats.c:430 430 na = nla_reserve(rep_skb, CGROUPSTATS_TYPE_CGROUP_STATS, 431 sizeof(struct cgroupstats)); 432 stats = nla_data(na); 433 memset(stats, 0, sizeof(*stats)); Generally, the return value of nla_reserve() is checked against NULL. For example, in function mk_reply() in the same file with cgroupstats_user_cmd(). mk_reply @@kernel/taskstats.c:393 393 ret = nla_reserve(skb, TASKSTATS_TYPE_STATS, sizeof(struct taskstats)); 394 if (!ret) 395 goto err; 396 nla_nest_end(skb, na); 397 398 return nla_data(ret); Thank you RUC_Soft_Sec
A patch referencing this bug report has been merged in Linux v3.6-rc1: commit 25353b3377d5a75d4b830477bb90a3691155de72 Author: Alan Cox <alan@linux.intel.com> Date: Mon Jul 30 14:42:49 2012 -0700 taskstats: check nla_reserve() return