tcp: fix more NULL deref after prequeue changes

When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in tcp_vX_send_reset()") I missed other spots we could deref a NULL skb_dst(skb) Again, if a socket is provided, we do not need skb_dst() to get a pointer to network namespace : sock_net(sk) is good enough. Reported-by: Dann Frazier <dann.frazier@canonical.com> Bisected-by: Dann Frazier <dann.frazier@canonical.com> Tested-by: Dann Frazier <dann.frazier@canonical.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode") Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2014-12-09 12:56:08 -0500
committer: David S. Miller <davem@davemloft.net> 2014-12-09 21:38:44 -0500
commit: 0f85feae6b710ced3abad5b2b47d31dfcb956b62 (patch)
tree: 17d1fadb2483724a83a814c33270cc94389890dc /net/ipv6
parent: f15650b7f94879667f253bc32de7431c1baf2d6e (diff)
1 files changed, 14 insertions, 14 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index dc495ae2ead0..c277951d783b 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -787,16 +787,16 @@ static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
        .queue_hash_add =       inet6_csk_reqsk_queue_hash_add,
 };
-static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
+static void tcp_v6_send_response(struct sock *sk, struct sk_buff *skb, u32 seq,
-                                 u32 tsval, u32 tsecr, int oif,
+                                 u32 ack, u32 win, u32 tsval, u32 tsecr,
-                                 struct tcp_md5sig_key *key, int rst, u8 tclass,
+                                 int oif, struct tcp_md5sig_key *key, int rst,
-                                 u32 label)
+                                 u8 tclass, u32 label)
 {
        const struct tcphdr *th = tcp_hdr(skb);
        struct tcphdr *t1;
        struct sk_buff *buff;
        struct flowi6 fl6;
-        struct net *net = dev_net(skb_dst(skb)->dev);
+        struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
        struct sock *ctl_sk = net->ipv6.tcp_sk;
        unsigned int tot_len = sizeof(struct tcphdr);
        struct dst_entry *dst;
@@ -946,7 +946,7 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
                          (th->doff << 2);
        oif = sk ? sk->sk_bound_dev_if : 0;
-        tcp_v6_send_response(skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
+        tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
 #ifdef CONFIG_TCP_MD5SIG
 release_sk1:
@@ -957,13 +957,13 @@ release_sk1:
 #endif
 }
-static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
+static void tcp_v6_send_ack(struct sock *sk, struct sk_buff *skb, u32 seq,
-                            u32 win, u32 tsval, u32 tsecr, int oif,
+                            u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,
                            struct tcp_md5sig_key *key, u8 tclass,
                            u32 label)
 {
-        tcp_v6_send_response(skb, seq, ack, win, tsval, tsecr, oif, key, 0, tclass,
+        tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,
-                             label);
+                             tclass, label);
 }
 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
@@ -971,7 +971,7 @@ static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
        struct inet_timewait_sock *tw = inet_twsk(sk);
        struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
-        tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
+        tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
                        tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
                        tcp_time_stamp + tcptw->tw_ts_offset,
                        tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
@@ -986,10 +986,10 @@ static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
        /* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
         * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
         */
-        tcp_v6_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?
+        tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
                        tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
-                        tcp_rsk(req)->rcv_nxt,
+                        tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
-                        req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
+                        tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
                        tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
                        0, 0);
 }
author	Eric Dumazet <edumazet@google.com>	2014-12-09 12:56:08 -0500
committer	David S. Miller <davem@davemloft.net>	2014-12-09 21:38:44 -0500
commit	0f85feae6b710ced3abad5b2b47d31dfcb956b62 (patch)
tree	17d1fadb2483724a83a814c33270cc94389890dc /net/ipv6
parent	f15650b7f94879667f253bc32de7431c1baf2d6e (diff)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index dc495ae2ead0..c277951d783b 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c
@@ -787,16 +787,16 @@ static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
787	.queue_hash_add = inet6_csk_reqsk_queue_hash_add,	787	.queue_hash_add = inet6_csk_reqsk_queue_hash_add,
788	};	788	};
789		789
790	static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,	790	static void tcp_v6_send_response(struct sock sk, struct sk_buff skb, u32 seq,
791	u32 tsval, u32 tsecr, int oif,	791	u32 ack, u32 win, u32 tsval, u32 tsecr,
792	struct tcp_md5sig_key *key, int rst, u8 tclass,	792	int oif, struct tcp_md5sig_key *key, int rst,
793	u32 label)	793	u8 tclass, u32 label)
794	{	794	{
795	const struct tcphdr *th = tcp_hdr(skb);	795	const struct tcphdr *th = tcp_hdr(skb);
796	struct tcphdr *t1;	796	struct tcphdr *t1;
797	struct sk_buff *buff;	797	struct sk_buff *buff;
798	struct flowi6 fl6;	798	struct flowi6 fl6;
799	struct net *net = dev_net(skb_dst(skb)->dev);	799	struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
800	struct sock *ctl_sk = net->ipv6.tcp_sk;	800	struct sock *ctl_sk = net->ipv6.tcp_sk;
801	unsigned int tot_len = sizeof(struct tcphdr);	801	unsigned int tot_len = sizeof(struct tcphdr);
802	struct dst_entry *dst;	802	struct dst_entry *dst;
@@ -946,7 +946,7 @@ static void tcp_v6_send_reset(struct sock sk, struct sk_buff skb)
946	(th->doff << 2);	946	(th->doff << 2);
947		947
948	oif = sk ? sk->sk_bound_dev_if : 0;	948	oif = sk ? sk->sk_bound_dev_if : 0;
949	tcp_v6_send_response(skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);	949	tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
950		950
951	#ifdef CONFIG_TCP_MD5SIG	951	#ifdef CONFIG_TCP_MD5SIG
952	release_sk1:	952	release_sk1:
@@ -957,13 +957,13 @@ release_sk1:
957	#endif	957	#endif
958	}	958	}
959		959
960	static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack,	960	static void tcp_v6_send_ack(struct sock sk, struct sk_buff skb, u32 seq,
961	u32 win, u32 tsval, u32 tsecr, int oif,	961	u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,
962	struct tcp_md5sig_key *key, u8 tclass,	962	struct tcp_md5sig_key *key, u8 tclass,
963	u32 label)	963	u32 label)
964	{	964	{
965	tcp_v6_send_response(skb, seq, ack, win, tsval, tsecr, oif, key, 0, tclass,	965	tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,
966	label);	966	tclass, label);
967	}	967	}
968		968
969	static void tcp_v6_timewait_ack(struct sock sk, struct sk_buff skb)	969	static void tcp_v6_timewait_ack(struct sock sk, struct sk_buff skb)
@@ -971,7 +971,7 @@ static void tcp_v6_timewait_ack(struct sock sk, struct sk_buff skb)
971	struct inet_timewait_sock *tw = inet_twsk(sk);	971	struct inet_timewait_sock *tw = inet_twsk(sk);
972	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);	972	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
973		973
974	tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,	974	tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
975	tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,	975	tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
976	tcp_time_stamp + tcptw->tw_ts_offset,	976	tcp_time_stamp + tcptw->tw_ts_offset,
977	tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),	977	tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
@@ -986,10 +986,10 @@ static void tcp_v6_reqsk_send_ack(struct sock sk, struct sk_buff skb,
986	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV	986	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
987	* sk->sk_state == TCP_SYN_RECV -> for Fast Open.	987	* sk->sk_state == TCP_SYN_RECV -> for Fast Open.
988	*/	988	*/
989	tcp_v6_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?	989	tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
990	tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,	990	tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
991	tcp_rsk(req)->rcv_nxt,	991	tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
992	req->rcv_wnd, tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,	992	tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
993	tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),	993	tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
994	0, 0);	994	0, 0);
995	}	995	}