qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
equals to zero. Fix it by rejecting zero-length kzalloc() requests.
This patch fixes the following syzbot bug:
https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a
Reported-by: syzbot+03e343dbccf82a524...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye <yepeilin...@gmail.com>
---
net/qrtr/tun.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
index 15ce9b642b25..5465e94ba8e5 100644
--- a/net/qrtr/tun.c
+++ b/net/qrtr/tun.c
@@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct
iov_iter *from)
ssize_t ret;
void *kbuf;
+ if (!len)
+ return -EINVAL;
+
kbuf = kzalloc(len, GFP_KERNEL);
if (!kbuf)
return -ENOMEM;
--
2.25.1
