aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerrit Renker <gerrit@erg.abdn.ac.uk>2006-10-11 11:26:54 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-10-21 22:55:20 -0400
commit82709531a800fcf8de71bb8c5d8e92462fb81f84 (patch)
treef5b91c66d478db78af46ca7a9863951b82d28c06
parent5cfc35cf79d46af998346e3d5cc66fa344d1af0e (diff)
[DCCP]: Fix Oops in DCCPv6
I think I got the cause for the Oops observed in http://www.mail-archive.com/dccp@vger.kernel.org/msg00578.html The problem is always with applications listening on PF_INET6 sockets. Apart from the mentioned oops, I observed another one one, triggered at irregular intervals via timer interrupt: run_timer_softirq -> dccp_keepalive_timer -> inet_csk_reqsk_queue_prune -> reqsk_free -> dccp_v6_reqsk_destructor The latter function is the problem and is also the last function to be called in said kernel panic. In any case, there is a real problem with allocating the right request_sock which is what this patch tackles. It fixes the following problem: - application listens on PF_INET6 - DCCPv4 packet comes in, is handed over to dccp_v4_do_rcv, from there to dccp_v4_conn_request Now: socket is PF_INET6, packet is IPv4. The following code then furnishes the connection with IPv6 - request_sock operations: req = reqsk_alloc(sk->sk_prot->rsk_prot); The first problem is that all further incoming packets will get a Reset since the connection can not be looked up. The second problem is worse: --> reqsk_alloc is called instead of inet6_reqsk_alloc --> consequently inet6_rsk_offset is never set (dangling pointer) --> the request_sock_ops are nevertheless still dccp6_request_ops --> destructor is called via reqsk_free --> dccp_v6_reqsk_destructor tries to free random memory location (inet6_rsk_offset not set) --> panic I have tested this for a while, DCCP sockets are now handled correctly in all three scenarios (v4/v6 only/v4-mapped). Commiter note: I've added the dccp_request_sock_ops forward declaration to keep the tree building and to reduce the size of the patch for 2.6.19, later I'll move the functions to the top of the affected source code to match what we have in the TCP counterpart, where this problem hasn't existed in the first place, dumb me not to have done the same thing on DCCP land 8) Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
-rw-r--r--net/dccp/ipv4.c4
-rw-r--r--net/dccp/ipv6.c4
2 files changed, 4 insertions, 4 deletions
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 7e746c4c1688..aaaf4d09516b 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -449,6 +449,8 @@ static inline u64 dccp_v4_init_sequence(const struct sock *sk,
449 dccp_hdr(skb)->dccph_sport); 449 dccp_hdr(skb)->dccph_sport);
450} 450}
451 451
452static struct request_sock_ops dccp_request_sock_ops;
453
452int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) 454int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
453{ 455{
454 struct inet_request_sock *ireq; 456 struct inet_request_sock *ireq;
@@ -489,7 +491,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
489 if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) 491 if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
490 goto drop; 492 goto drop;
491 493
492 req = reqsk_alloc(sk->sk_prot->rsk_prot); 494 req = reqsk_alloc(&dccp_request_sock_ops);
493 if (req == NULL) 495 if (req == NULL)
494 goto drop; 496 goto drop;
495 497
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 7171a78671aa..91e7b12df13b 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -672,7 +672,6 @@ static struct sock *dccp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
672 672
673static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) 673static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
674{ 674{
675 struct inet_request_sock *ireq;
676 struct dccp_sock dp; 675 struct dccp_sock dp;
677 struct request_sock *req; 676 struct request_sock *req;
678 struct dccp_request_sock *dreq; 677 struct dccp_request_sock *dreq;
@@ -701,7 +700,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
701 if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) 700 if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
702 goto drop; 701 goto drop;
703 702
704 req = inet6_reqsk_alloc(sk->sk_prot->rsk_prot); 703 req = inet6_reqsk_alloc(&dccp6_request_sock_ops);
705 if (req == NULL) 704 if (req == NULL)
706 goto drop; 705 goto drop;
707 706
@@ -713,7 +712,6 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
713 goto drop_and_free; 712 goto drop_and_free;
714 713
715 ireq6 = inet6_rsk(req); 714 ireq6 = inet6_rsk(req);
716 ireq = inet_rsk(req);
717 ipv6_addr_copy(&ireq6->rmt_addr, &skb->nh.ipv6h->saddr); 715 ipv6_addr_copy(&ireq6->rmt_addr, &skb->nh.ipv6h->saddr);
718 ipv6_addr_copy(&ireq6->loc_addr, &skb->nh.ipv6h->daddr); 716 ipv6_addr_copy(&ireq6->loc_addr, &skb->nh.ipv6h->daddr);
719 req->rcv_wnd = dccp_feat_default_sequence_window; 717 req->rcv_wnd = dccp_feat_default_sequence_window;