[patch 55/59] TCP: skb is unexpectedly freed.

From: Chris Wright
Date: Fri Feb 02 2007 - 21:46:51 EST

Next message: Chris Wright: "[patch 51/59] AF_PACKET: Fix BPF handling."
Previous message: Chris Wright: "[patch 53/59] TCP: rare bad TCP checksum with 2.6.19"
In reply to: Chris Wright: "[patch 53/59] TCP: rare bad TCP checksum with 2.6.19"
Next in thread: Chris Wright: "[patch 51/59] AF_PACKET: Fix BPF handling."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.
------------------

From: Masayuki Nakagawa <nakagawa.msy@xxxxxxxxxxxxxx>

I encountered a kernel panic with my test program, which is a very
simple IPv6 client-server program.

The server side sets IPV6_RECVPKTINFO on a listening socket, and the
client side just sends a message to the server. Then the kernel panic
occurs on the server. (If you need the test program, please let me
know. I can provide it.)

This problem happens because a skb is forcibly freed in
tcp_rcv_state_process().

When a socket in listening state(TCP_LISTEN) receives a syn packet,
then tcp_v6_conn_request() will be called from
tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully
returns, the skb would be discarded by __kfree_skb().

However, in case of a listening socket which was already set
IPV6_RECVPKTINFO, an address of the skb will be stored in
treq->pktopts and a ref count of the skb will be incremented in
tcp_v6_conn_request(). But, even if the skb is still in use, the skb
will be freed. Then someone still using the freed skb will cause the
kernel panic.

I suggest to use kfree_skb() instead of __kfree_skb().

Signed-off-by: Masayuki Nakagawa <nakagawa.msy@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>

---
net/ipv4/tcp_input.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- linux-2.6.19.2.orig/net/ipv4/tcp_input.c
+++ linux-2.6.19.2/net/ipv4/tcp_input.c
@@ -4411,9 +4411,11 @@ int tcp_rcv_state_process(struct sock *s
* But, this leaves one open to an easy denial of
* service attack, and SYN cookies can't defend
* against this problem. So, we drop the data
- * in the interest of security over speed.
+ * in the interest of security over speed unless
+ * it's still in use.
*/
- goto discard;
+ kfree_skb(skb);
+ return 0;
}
goto discard;

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[patch 51/59] AF_PACKET: Fix BPF handling."
Previous message: Chris Wright: "[patch 53/59] TCP: rare bad TCP checksum with 2.6.19"
In reply to: Chris Wright: "[patch 53/59] TCP: rare bad TCP checksum with 2.6.19"
Next in thread: Chris Wright: "[patch 51/59] AF_PACKET: Fix BPF handling."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]