Commit 7efe8f1bb70588036edacab8b6c7f899092781f2
Committed by
Greg Kroah-Hartman
1 parent
ab12ec41d8
tcp: fix more NULL deref after prequeue changes
[ Upstream commit 0f85feae6b710ced3abad5b2b47d31dfcb956b62 ] When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in tcp_vX_send_reset()") I missed other spots we could deref a NULL skb_dst(skb) Again, if a socket is provided, we do not need skb_dst() to get a pointer to network namespace : sock_net(sk) is good enough. Reported-by: Dann Frazier <dann.frazier@canonical.com> Bisected-by: Dann Frazier <dann.frazier@canonical.com> Tested-by: Dann Frazier <dann.frazier@canonical.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode") Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 2 changed files with 16 additions and 16 deletions Side-by-side Diff
net/ipv4/tcp_ipv4.c
... | ... | @@ -623,6 +623,7 @@ |
623 | 623 | arg.iov[0].iov_base = (unsigned char *)&rep; |
624 | 624 | arg.iov[0].iov_len = sizeof(rep.th); |
625 | 625 | |
626 | + net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); | |
626 | 627 | #ifdef CONFIG_TCP_MD5SIG |
627 | 628 | hash_location = tcp_parse_md5sig_option(th); |
628 | 629 | if (!sk && hash_location) { |
... | ... | @@ -633,7 +634,7 @@ |
633 | 634 | * Incoming packet is checked with md5 hash with finding key, |
634 | 635 | * no RST generated if md5 hash doesn't match. |
635 | 636 | */ |
636 | - sk1 = __inet_lookup_listener(dev_net(skb_dst(skb)->dev), | |
637 | + sk1 = __inet_lookup_listener(net, | |
637 | 638 | &tcp_hashinfo, ip_hdr(skb)->saddr, |
638 | 639 | th->source, ip_hdr(skb)->daddr, |
639 | 640 | ntohs(th->source), inet_iif(skb)); |
... | ... | @@ -681,7 +682,6 @@ |
681 | 682 | if (sk) |
682 | 683 | arg.bound_dev_if = sk->sk_bound_dev_if; |
683 | 684 | |
684 | - net = dev_net(skb_dst(skb)->dev); | |
685 | 685 | arg.tos = ip_hdr(skb)->tos; |
686 | 686 | ip_send_unicast_reply(net, skb, &TCP_SKB_CB(skb)->header.h4.opt, |
687 | 687 | ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, |
net/ipv6/tcp_ipv6.c
... | ... | @@ -787,16 +787,16 @@ |
787 | 787 | .queue_hash_add = inet6_csk_reqsk_queue_hash_add, |
788 | 788 | }; |
789 | 789 | |
790 | -static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win, | |
791 | - u32 tsval, u32 tsecr, int oif, | |
792 | - struct tcp_md5sig_key *key, int rst, u8 tclass, | |
793 | - u32 label) | |
790 | +static void tcp_v6_send_response(struct sock *sk, struct sk_buff *skb, u32 seq, | |
791 | + u32 ack, u32 win, u32 tsval, u32 tsecr, | |
792 | + int oif, struct tcp_md5sig_key *key, int rst, | |
793 | + u8 tclass, u32 label) | |
794 | 794 | { |
795 | 795 | const struct tcphdr *th = tcp_hdr(skb); |
796 | 796 | struct tcphdr *t1; |
797 | 797 | struct sk_buff *buff; |
798 | 798 | struct flowi6 fl6; |
799 | - struct net *net = dev_net(skb_dst(skb)->dev); | |
799 | + struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev); | |
800 | 800 | struct sock *ctl_sk = net->ipv6.tcp_sk; |
801 | 801 | unsigned int tot_len = sizeof(struct tcphdr); |
802 | 802 | struct dst_entry *dst; |
... | ... | @@ -946,7 +946,7 @@ |
946 | 946 | (th->doff << 2); |
947 | 947 | |
948 | 948 | oif = sk ? sk->sk_bound_dev_if : 0; |
949 | - tcp_v6_send_response(skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0); | |
949 | + tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0); | |
950 | 950 | |
951 | 951 | #ifdef CONFIG_TCP_MD5SIG |
952 | 952 | release_sk1: |
953 | 953 | |
... | ... | @@ -957,13 +957,13 @@ |
957 | 957 | #endif |
958 | 958 | } |
959 | 959 | |
960 | -static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, | |
961 | - u32 win, u32 tsval, u32 tsecr, int oif, | |
960 | +static void tcp_v6_send_ack(struct sock *sk, struct sk_buff *skb, u32 seq, | |
961 | + u32 ack, u32 win, u32 tsval, u32 tsecr, int oif, | |
962 | 962 | struct tcp_md5sig_key *key, u8 tclass, |
963 | 963 | u32 label) |
964 | 964 | { |
965 | - tcp_v6_send_response(skb, seq, ack, win, tsval, tsecr, oif, key, 0, tclass, | |
966 | - label); | |
965 | + tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0, | |
966 | + tclass, label); | |
967 | 967 | } |
968 | 968 | |
969 | 969 | static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb) |
... | ... | @@ -971,7 +971,7 @@ |
971 | 971 | struct inet_timewait_sock *tw = inet_twsk(sk); |
972 | 972 | struct tcp_timewait_sock *tcptw = tcp_twsk(sk); |
973 | 973 | |
974 | - tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt, | |
974 | + tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt, | |
975 | 975 | tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale, |
976 | 976 | tcp_time_stamp + tcptw->tw_ts_offset, |
977 | 977 | tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw), |
978 | 978 | |
... | ... | @@ -986,10 +986,10 @@ |
986 | 986 | /* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV |
987 | 987 | * sk->sk_state == TCP_SYN_RECV -> for Fast Open. |
988 | 988 | */ |
989 | - tcp_v6_send_ack(skb, (sk->sk_state == TCP_LISTEN) ? | |
989 | + tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ? | |
990 | 990 | tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt, |
991 | - tcp_rsk(req)->rcv_nxt, | |
992 | - req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if, | |
991 | + tcp_rsk(req)->rcv_nxt, req->rcv_wnd, | |
992 | + tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if, | |
993 | 993 | tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), |
994 | 994 | 0, 0); |
995 | 995 | } |