ipv6: do not clear pinet6 field
We have seen multiple NULL dereferences in __inet6_lookup_established() After analysis, I found that inet6_sk() could be NULL while the check for sk_family == AF_INET6 was true. Bug was added in linux-2.6.29 when RCU lookups were introduced in UDP and TCP stacks. Once an IPv6 socket, using SLAB_DESTROY_BY_RCU is inserted in a hash table, we no longer can clear pinet6 field. This patch extends logic used in commit fcbdf09d ("net: fix nulls list corruptions in sk_prot_alloc") TCP/UDP/UDPLite IPv6 protocols provide their own .clear_sk() method to make sure we do not clear pinet6 field. At socket clone phase, we do not really care, as cloning the parent (non NULL) pinet6 is not adding a fatal race. Signed-off-by:Eric Dumazet <edumazet@google.com> Signed-off-by:
Showing
- include/net/sock.h 12 additions, 0 deletionsinclude/net/sock.h
- net/core/sock.c 0 additions, 12 deletionsnet/core/sock.c
- net/ipv6/tcp_ipv6.c 12 additions, 0 deletionsnet/ipv6/tcp_ipv6.c
- net/ipv6/udp.c 12 additions, 1 deletionnet/ipv6/udp.c
- net/ipv6/udp_impl.h 2 additions, 0 deletionsnet/ipv6/udp_impl.h
- net/ipv6/udplite.c 1 addition, 1 deletionnet/ipv6/udplite.c
Loading
Please register or sign in to comment