Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 476e19cf authored by Arnaldo Carvalho de Melo's avatar Arnaldo Carvalho de Melo Committed by David S. Miller
Browse files

[IPV6]: Fix OOPS when using IPV6_ADDRFORM



This causes sk->sk_prot to change, which makes the socket
release free the sock into the wrong SLAB cache.  Fix this
by introducing sk_prot_creator so that we always remember
where the sock came from.

Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 25ae3f59
Loading
Loading
Loading
Loading
+2 −0
Original line number Diff line number Diff line
@@ -141,6 +141,7 @@ struct sock_common {
  *	@sk_callback_lock: used with the callbacks in the end of this struct
  *	@sk_error_queue: rarely used
  *	@sk_prot: protocol handlers inside a network family
  *	@sk_prot_creator: sk_prot of original sock creator (see ipv6_setsockopt, IPV6_ADDRFORM for instance)
  *	@sk_err: last error
  *	@sk_err_soft: errors that don't cause failure but are the cause of a persistent failure not just 'timed out'
  *	@sk_ack_backlog: current listen backlog
@@ -218,6 +219,7 @@ struct sock {
	} sk_backlog;
	struct sk_buff_head	sk_error_queue;
	struct proto		*sk_prot;
	struct proto		*sk_prot_creator;
	rwlock_t		sk_callback_lock;
	int			sk_err,
				sk_err_soft;
+8 −4
Original line number Diff line number Diff line
@@ -635,7 +635,11 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
		if (zero_it) {
			memset(sk, 0, prot->obj_size);
			sk->sk_family = family;
			sk->sk_prot = prot;
			/*
			 * See comment in struct sock definition to understand
			 * why we need sk_prot_creator -acme
			 */
			sk->sk_prot = sk->sk_prot_creator = prot;
			sock_lock_init(sk);
		}
		
@@ -654,7 +658,7 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
void sk_free(struct sock *sk)
{
	struct sk_filter *filter;
	struct module *owner = sk->sk_prot->owner;
	struct module *owner = sk->sk_prot_creator->owner;

	if (sk->sk_destruct)
		sk->sk_destruct(sk);
@@ -672,8 +676,8 @@ void sk_free(struct sock *sk)
		       __FUNCTION__, atomic_read(&sk->sk_omem_alloc));

	security_sk_free(sk);
	if (sk->sk_prot->slab != NULL)
		kmem_cache_free(sk->sk_prot->slab, sk);
	if (sk->sk_prot_creator->slab != NULL)
		kmem_cache_free(sk->sk_prot_creator->slab, sk);
	else
		kfree(sk);
	module_put(owner);