From: Eric Dumazet <[email protected]>
Date: Thu, 19 Jul 2018 16:04:38 -0700
> syzbot caught a NULL deref [1], caused by skb_segment()
>
> skb_segment() has many "goto err;" that assume the @err variable
> contains -ENOMEM.
>
> A successful call to __skb_linearize() should not clear @err,
> otherwise a subsequent memory allocation error could return NULL.
Ugh, good catch.
> While we are at it, we might use -EINVAL instead of -ENOMEM when
> MAX_SKB_FRAGS limit is reached.
...
> Fixes: ddff00d42043 ("net: Move skb_has_shared_frag check out of GRE code and
> into segmentation")
> Signed-off-by: Eric Dumazet <[email protected]>
> Cc: Alexander Duyck <[email protected]>
> Reported-by: syzbot <[email protected]>
Applied and queued up for -stable.
