redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/net/ipv4
History
Masayuki Nakagawa fb7e2399ec [TCP]: skb is unexpectedly freed. 
I encountered a kernel panic with my test program, which is a very
simple IPv6 client-server program.

The server side sets IPV6_RECVPKTINFO on a listening socket, and the
client side just sends a message to the server.  Then the kernel panic
occurs on the server.  (If you need the test program, please let me
know. I can provide it.)

This problem happens because a skb is forcibly freed in
tcp_rcv_state_process().

When a socket in listening state(TCP_LISTEN) receives a syn packet,
then tcp_v6_conn_request() will be called from
tcp_rcv_state_process().  If the tcp_v6_conn_request() successfully
returns, the skb would be discarded by __kfree_skb().

However, in case of a listening socket which was already set
IPV6_RECVPKTINFO, an address of the skb will be stored in
treq->pktopts and a ref count of the skb will be incremented in
tcp_v6_conn_request().  But, even if the skb is still in use, the skb
will be freed.  Then someone still using the freed skb will cause the
kernel panic.

I suggest to use kfree_skb() instead of __kfree_skb().

Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-23 20:25:52 -08:00
..
ipvs [IPVS]: Make ip_vs_sync.c <= 80col wide. 2006-12-11 14:35:03 -08:00
netfilter [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path 2007-01-23 20:25:42 -08:00
af_inet.c [INET]: style updates for the inet_sock->is_icsk assignment fix 2007-01-09 14:37:06 -08:00
ah4.c [IPV4]: encapsulation annotations 2006-12-02 21:21:17 -08:00
arp.c [IPV6]: Assorted trivial endianness annotations. 2006-12-02 21:22:50 -08:00
cipso_ipv4.c NetLabel: add the ranged tag to the CIPSOv4 protocol 2006-12-02 21:31:38 -08:00
datagram.c
devinet.c [IPV4] devinet: inetdev_init out label moved after RCU assignment 2007-01-09 14:38:31 -08:00
esp4.c [IPV4]: encapsulation annotations 2006-12-02 21:21:17 -08:00
fib_frontend.c [NETLINK]: Remove unused dst_pid field in netlink_skb_parms 2006-12-02 21:30:43 -08:00
fib_hash.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
fib_lookup.h
fib_rules.c [NETLINK]: Do precise netlink message allocations where possible 2006-12-02 21:22:11 -08:00
fib_semantics.c [NETLINK]: Do precise netlink message allocations where possible 2006-12-02 21:22:11 -08:00
fib_trie.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
icmp.c [NET]: Annotate callers of the reset of checksum.h stuff. 2006-12-02 21:23:34 -08:00
igmp.c [NET]: Annotate callers of csum_fold() in net/* 2006-12-02 21:23:27 -08:00
inet_connection_sock.c [NET]: Size listen hash tables using backlog hint 2006-12-02 21:21:44 -08:00
inet_diag.c
inet_hashtables.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
inet_timewait_sock.c Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2006-12-07 09:05:15 -08:00
inetpeer.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
ip_forward.c
ip_fragment.c fix typo in net/ipv4/ip_fragment.c 2006-12-12 19:48:59 +01:00
ip_gre.c [NET]: Annotate callers of the reset of checksum.h stuff. 2006-12-02 21:23:34 -08:00
ip_input.c
ip_options.c [NetLabel]: protect the CIPSOv4 socket option from setsockopt() 2006-10-30 15:24:49 -08:00
ip_output.c [NET]: Convert hh_lock to seqlock. 2006-12-08 17:19:20 -08:00
ip_sockglue.c [IPV6]: Assorted trivial endianness annotations. 2006-12-02 21:22:50 -08:00
ipcomp.c
ipconfig.c [NET]: ipconfig and nfsroot annotations 2006-12-02 21:21:09 -08:00
ipip.c [IPV4]: encapsulation annotations 2006-12-02 21:21:17 -08:00
ipmr.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
Kconfig [TCP] MD5SIG: Kill CONFIG_TCP_MD5SIG_DEBUG. 2006-12-02 21:31:47 -08:00
Makefile [NET]: Supporting UDP-Lite (RFC 3828) in Linux 2006-12-02 21:22:46 -08:00
multipath.c
multipath_drr.c
multipath_random.c
multipath_rr.c
multipath_wrandom.c
netfilter.c [NETFILTER]: Fix routing of REJECT target generated packets in output chain 2007-01-04 12:15:34 -08:00
proc.c [NET]: Supporting UDP-Lite (RFC 3828) in Linux 2006-12-02 21:22:46 -08:00
protocol.c
raw.c [IPV6]: Assorted trivial endianness annotations. 2006-12-02 21:22:50 -08:00
route.c [IPV4]: Fix BUG of ip_rt_send_redirect() 2006-12-18 00:26:35 -08:00
syncookies.c [IPV6]: Assorted trivial endianness annotations. 2006-12-02 21:22:50 -08:00
sysctl_net_ipv4.c [PATCH] sysctl: remove unused "context" param 2006-12-10 09:55:41 -08:00
tcp.c [TCP]: Fix oops caused by __tcp_put_md5sig_pool() 2006-12-13 16:48:26 -08:00
tcp_bic.c
tcp_cong.c [TCP]: Allow autoloading of congestion control via setsockopt. 2006-12-02 21:21:50 -08:00
tcp_cubic.c [TCP] cubic: scaling error 2006-10-25 23:04:12 -07:00
tcp_diag.c
tcp_highspeed.c
tcp_htcp.c [TCP] htcp: Better packing of struct htcp. 2006-12-02 21:22:14 -08:00
tcp_hybla.c
tcp_input.c [TCP]: skb is unexpectedly freed. 2007-01-23 20:25:52 -08:00
tcp_ipv4.c [TCP]: Fix iov_len calculation in tcp_v4_send_ack(). 2007-01-09 00:30:08 -08:00
tcp_lp.c
tcp_minisocks.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6 2006-12-05 14:37:56 +00:00
tcp_output.c [TCP]: MD5 Signature Option (RFC2385) support. 2006-12-02 21:22:39 -08:00
tcp_probe.c [PATCH] email change for shemminger@osdl.org 2007-01-23 14:18:49 -08:00
tcp_scalable.c
tcp_timer.c [IPV6]: Assorted trivial endianness annotations. 2006-12-02 21:22:50 -08:00
tcp_vegas.c [TCP] Vegas: Increase default alpha to 2 and beta to 4. 2006-12-02 21:31:03 -08:00
tcp_veno.c
tcp_westwood.c
tunnel4.c
udp.c [UDP]: Fix reversed logic in udp_get_port(). 2006-12-22 11:42:26 -08:00
udp_impl.h [NET]: Supporting UDP-Lite (RFC 3828) in Linux 2006-12-02 21:22:46 -08:00
udplite.c [NET]: Possible cleanups. 2006-12-02 21:31:51 -08:00
xfrm4_input.c
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
xfrm4_output.c
xfrm4_policy.c [IPSEC]: Fix inetpeer leak in ipv4 xfrm dst entries. 2006-12-06 23:45:15 -08:00
xfrm4_state.c
xfrm4_tunnel.c