tcp: fix more NULL deref after prequeue changes

[ Upstream commit 0f85feae6b710ced3abad5b2b47d31dfcb956b62 ] When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in tcp_vX_send_reset()") I missed other spots we could deref a NULL skb_dst(skb) Again, if a socket is provided, we do not need skb_dst() to get a pointer to network namespace : sock_net(sk) is good enough. Reported-by: Dann Frazier <dann.frazier@canonical.com> Bisected-by: Dann Frazier <dann.frazier@canonical.com> Tested-by: Dann Frazier <dann.frazier@canonical.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode") Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: fix more NULL deref after prequeue changes
[ Upstream commit 0f85feae6b710ced3abad5b2b47d31dfcb956b62 ] When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in tcp_vX_send_reset()") I missed other spots we could deref a NULL skb_dst(skb) Again, if a socket is provided, we do not need skb_dst() to get a pointer to network namespace : sock_net(sk) is good enough. Reported-by: Dann Frazier <dann.frazier@canonical.com> Bisected-by: Dann Frazier <dann.frazier@canonical.com> Tested-by: Dann Frazier <dann.frazier@canonical.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode") Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet · Greg Kroah-Hartman
1 parent ab12ec41d8
Showing 2 changed files with 16 additions and 16 deletions Side-by-side Diff
net/ipv4/tcp_ipv4.c
net/ipv6/tcp_ipv6.c
@@ -623,6 +623,7 @@
 	arg.iov[0].iov_base = (unsigned char *)&rep;
 	arg.iov[0].iov_len  = sizeof(rep.th);
  
+	net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
 #ifdef CONFIG_TCP_MD5SIG
 	hash_location = tcp_parse_md5sig_option(th);
 	if (!sk && hash_location) {
@@ -633,7 +634,7 @@
 		 * Incoming packet is checked with md5 hash with finding key,
 		 * no RST generated if md5 hash doesn't match.
 		 */
-		sk1 = __inet_lookup_listener(dev_net(skb_dst(skb)->dev),
+		sk1 = __inet_lookup_listener(net,
 					     &tcp_hashinfo, ip_hdr(skb)->saddr,
 					     th->source, ip_hdr(skb)->daddr,
 					     ntohs(th->source), inet_iif(skb));
@@ -681,7 +682,6 @@
 	if (sk)
 		arg.bound_dev_if = sk->sk_bound_dev_if;
  
-	net = dev_net(skb_dst(skb)->dev);
 	arg.tos = ip_hdr(skb)->tos;
 	ip_send_unicast_reply(net, skb, &TCP_SKB_CB(skb)->header.h4.opt,
 			      ip_hdr(skb)->saddr, ip_hdr(skb)->daddr,
@@ -787,16 +787,16 @@
 	.queue_hash_add =	inet6_csk_reqsk_queue_hash_add,
 };
  
-static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
-				 u32 tsval, u32 tsecr, int oif,
-				 struct tcp_md5sig_key *key, int rst, u8 tclass,
-				 u32 label)
+static void tcp_v6_send_response(struct sock *sk, struct sk_buff *skb, u32 seq,
+				 u32 ack, u32 win, u32 tsval, u32 tsecr,
+				 int oif, struct tcp_md5sig_key *key, int rst,
+				 u8 tclass, u32 label)
 {
 	const struct tcphdr *th = tcp_hdr(skb);
 	struct tcphdr *t1;
 	struct sk_buff *buff;
 	struct flowi6 fl6;
-	struct net *net = dev_net(skb_dst(skb)->dev);
+	struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
 	struct sock *ctl_sk = net->ipv6.tcp_sk;
 	unsigned int tot_len = sizeof(struct tcphdr);
 	struct dst_entry *dst;
@@ -946,7 +946,7 @@
 			  (th->doff << 2);
  
 	oif = sk ? sk->sk_bound_dev_if : 0;
-	tcp_v6_send_response(skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
+	tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
  
 #ifdef CONFIG_TCP_MD5SIG
 release_sk1:
  
@@ -957,13 +957,13 @@
 #endif
 }
  
-static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
-			    u32 win, u32 tsval, u32 tsecr, int oif,
+static void tcp_v6_send_ack(struct sock *sk, struct sk_buff *skb, u32 seq,
+			    u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,
 			    struct tcp_md5sig_key *key, u8 tclass,
 			    u32 label)
 {
-	tcp_v6_send_response(skb, seq, ack, win, tsval, tsecr, oif, key, 0, tclass,
-			     label);
+	tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,
+			     tclass, label);
 }
  
 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
@@ -971,7 +971,7 @@
 	struct inet_timewait_sock *tw = inet_twsk(sk);
 	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
  
-	tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
+	tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
 			tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
 			tcp_time_stamp + tcptw->tw_ts_offset,
 			tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
  
@@ -986,10 +986,10 @@
 	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
 	 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
 	 */
-	tcp_v6_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?
+	tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
 			tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
-			tcp_rsk(req)->rcv_nxt,
-			req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
+			tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
+			tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
 			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
 			0, 0);
 }
...	...	@@ -623,6 +623,7 @@
623	623	arg.iov[0].iov_base = (unsigned char *)&rep;
624	624	arg.iov[0].iov_len = sizeof(rep.th);
625	625
	626	+ net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
626	627	#ifdef CONFIG_TCP_MD5SIG
627	628	hash_location = tcp_parse_md5sig_option(th);
628	629	if (!sk && hash_location) {
...	...	@@ -633,7 +634,7 @@
633	634	* Incoming packet is checked with md5 hash with finding key,
634	635	* no RST generated if md5 hash doesn't match.
635	636	*/
636		- sk1 = __inet_lookup_listener(dev_net(skb_dst(skb)->dev),
	637	+ sk1 = __inet_lookup_listener(net,
637	638	&tcp_hashinfo, ip_hdr(skb)->saddr,
638	639	th->source, ip_hdr(skb)->daddr,
639	640	ntohs(th->source), inet_iif(skb));
...	...	@@ -681,7 +682,6 @@
681	682	if (sk)
682	683	arg.bound_dev_if = sk->sk_bound_dev_if;
683	684
684		- net = dev_net(skb_dst(skb)->dev);
685	685	arg.tos = ip_hdr(skb)->tos;
686	686	ip_send_unicast_reply(net, skb, &TCP_SKB_CB(skb)->header.h4.opt,
687	687	ip_hdr(skb)->saddr, ip_hdr(skb)->daddr,
...	...	@@ -787,16 +787,16 @@
787	787	.queue_hash_add = inet6_csk_reqsk_queue_hash_add,
788	788	};
789	789
790		-static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
791		- u32 tsval, u32 tsecr, int oif,
792		- struct tcp_md5sig_key *key, int rst, u8 tclass,
793		- u32 label)
	790	+static void tcp_v6_send_response(struct sock sk, struct sk_buff skb, u32 seq,
	791	+ u32 ack, u32 win, u32 tsval, u32 tsecr,
	792	+ int oif, struct tcp_md5sig_key *key, int rst,
	793	+ u8 tclass, u32 label)
794	794	{
795	795	const struct tcphdr *th = tcp_hdr(skb);
796	796	struct tcphdr *t1;
797	797	struct sk_buff *buff;
798	798	struct flowi6 fl6;
799		- struct net *net = dev_net(skb_dst(skb)->dev);
	799	+ struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
800	800	struct sock *ctl_sk = net->ipv6.tcp_sk;
801	801	unsigned int tot_len = sizeof(struct tcphdr);
802	802	struct dst_entry *dst;
...	...	@@ -946,7 +946,7 @@
946	946	(th->doff << 2);
947	947
948	948	oif = sk ? sk->sk_bound_dev_if : 0;
949		- tcp_v6_send_response(skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
	949	+ tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
950	950
951	951	#ifdef CONFIG_TCP_MD5SIG
952	952	release_sk1:
953	953
...	...	@@ -957,13 +957,13 @@
957	957	#endif
958	958	}
959	959
960		-static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
961		- u32 win, u32 tsval, u32 tsecr, int oif,
	960	+static void tcp_v6_send_ack(struct sock sk, struct sk_buff skb, u32 seq,
	961	+ u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,
962	962	struct tcp_md5sig_key *key, u8 tclass,
963	963	u32 label)
964	964	{
965		- tcp_v6_send_response(skb, seq, ack, win, tsval, tsecr, oif, key, 0, tclass,
966		- label);
	965	+ tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,
	966	+ tclass, label);
967	967	}
968	968
969	969	static void tcp_v6_timewait_ack(struct sock sk, struct sk_buff skb)
...	...	@@ -971,7 +971,7 @@
971	971	struct inet_timewait_sock *tw = inet_twsk(sk);
972	972	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
973	973
974		- tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
	974	+ tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
975	975	tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
976	976	tcp_time_stamp + tcptw->tw_ts_offset,
977	977	tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
978	978
...	...	@@ -986,10 +986,10 @@
986	986	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
987	987	* sk->sk_state == TCP_SYN_RECV -> for Fast Open.
988	988	*/
989		- tcp_v6_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?
	989	+ tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
990	990	tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
991		- tcp_rsk(req)->rcv_nxt,
992		- req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
	991	+ tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
	992	+ tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
993	993	tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
994	994	0, 0);
995	995	}