On Tue, Feb 12, 2019 at 6:10 PM Stephen Hemminger <step...@networkplumber.org> wrote: > Original report from sharathker...@gmail.com: > > NULL POINTER DEFERENCE DURING __skb_unlink() > > In the function call, __skb_try_recv_from_queue() (net/core/datagram.c), > sbk_queue_walk() walks through the queue without checking if the next member > in the queue has valid next pointer/address. When a socket buffer has to > unlink, __skb_unlink() is called. > > > > Inside __skb_unlink() function, it doesn't verify if skb->next has a valid > address. skb->next is assigned and used, without verifying the value inside > it.
It should always have a valid ->next pointer as it is in a doubly linked list, where the last one simply points to the head of the list. I don't see any problem in the code you quote here. > > What could be probable solution, in this scenario? Should we check if > skb->next is not NULL, before calling __skb_unlink()? Do you have a reproducer? Also, your crash report is incomplete, it doesn't even show a kernel version... Is it 4.20.7? Is it tainted? Please share the complete dmesg. Thanks.
