From: Eric Dumazet <eduma...@google.com>
Date: Thu, 19 Jul 2018 16:04:38 -0700
> syzbot caught a NULL deref [1], caused by skb_segment()
>
> skb_segment() has many "goto err;" that assume the @err variable
> contains -ENOMEM.
>
> A successful call to __skb_linearize() should not clear @err,
> otherwise a subsequent memory allocation error could return NULL.
Ugh, good catch.
> While we are at it, we might use -EINVAL instead of -ENOMEM when
> MAX_SKB_FRAGS limit is reached.
...
> Fixes: ddff00d42043 ("net: Move skb_has_shared_frag check out of GRE code and
> into segmentation")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Cc: Alexander Duyck <alexander.h.du...@intel.com>
> Reported-by: syzbot <syzkal...@googlegroups.com>
Applied and queued up for -stable.
