aha/net
Masayuki Nakagawa fb7e2399ec [TCP]: skb is unexpectedly freed.
I encountered a kernel panic with my test program, which is a very
simple IPv6 client-server program.

The server side sets IPV6_RECVPKTINFO on a listening socket, and the
client side just sends a message to the server.  Then the kernel panic
occurs on the server.  (If you need the test program, please let me
know. I can provide it.)

This problem happens because a skb is forcibly freed in
tcp_rcv_state_process().

When a socket in listening state(TCP_LISTEN) receives a syn packet,
then tcp_v6_conn_request() will be called from
tcp_rcv_state_process().  If the tcp_v6_conn_request() successfully
returns, the skb would be discarded by __kfree_skb().

However, in case of a listening socket which was already set
IPV6_RECVPKTINFO, an address of the skb will be stored in
treq->pktopts and a ref count of the skb will be incremented in
tcp_v6_conn_request().  But, even if the skb is still in use, the skb
will be freed.  Then someone still using the freed skb will cause the
kernel panic.

I suggest to use kfree_skb() instead of __kfree_skb().

Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-01-23 20:25:52 -08:00
..
802
8021q
appletalk [PATCH] severing skbuff.h -> highmem.h 2006-12-04 02:00:29 -05:00
atm [PATCH] struct path: convert atm 2006-12-08 08:28:44 -08:00
ax25 [AX.25]: Fix unchecked ax25_linkfail_register uses 2006-12-17 21:59:11 -08:00
bluetooth [Bluetooth] Handle device registration failures 2007-01-09 00:29:56 -08:00
bridge [NETFILTER]: ebtables: don't compute gap before checking struct type 2007-01-04 12:17:44 -08:00
core [IPSEC] flow: Fix potential memory leak 2007-01-23 20:25:39 -08:00
dccp [DCCP] ccid3: return value in ccid3_hc_rx_calc_first_li 2006-12-13 16:48:24 -08:00
decnet [PATCH] sysctl: remove unused "context" param 2006-12-10 09:55:41 -08:00
econet
ethernet
ieee80211 [PATCH] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie 2006-12-19 16:19:45 -05:00
ipv4 [TCP]: skb is unexpectedly freed. 2007-01-23 20:25:52 -08:00
ipv6 [IPV6] MCAST: Fix joining all-node multicast group on device initialization. 2007-01-23 20:25:40 -08:00
ipx
irda [PATCH] tty: switch to ktermios and new framework 2006-12-08 08:28:56 -08:00
key audit: Add auditing to ipsec 2006-12-06 20:14:22 -08:00
lapb
llc
netfilter [NETFILTER]: ctnetlink: fix leak in ctnetlink_create_conntrack error path 2007-01-23 20:25:42 -08:00
netlabel NetLabel: correct CIPSO tag handling when adding new DOI definitions 2007-01-09 00:30:01 -08:00
netlink [AF_NETLINK]: module_put cleanup 2007-01-03 18:38:15 -08:00
netrom [AX.25]: Fix unchecked ax25_linkfail_register uses 2006-12-17 21:59:11 -08:00
packet [NET]: Memory barrier cleanups 2006-12-07 00:11:33 -08:00
rose [AX.25]: Fix unchecked rose_add_loopback_neigh uses 2006-12-17 21:59:14 -08:00
rxrpc [PATCH] Add include/linux/freezer.h and move definitions from sched.h 2006-12-07 08:39:27 -08:00
sched [NET_SCHED] sch_htb: turn intermediate classes into leaves 2006-12-08 17:19:32 -08:00
sctp [SCTP]: Fix SACK sequence during shutdown 2007-01-23 20:25:47 -08:00
sunrpc [PATCH] gss_spkm3: fix error handling in module init 2006-12-22 08:55:49 -08:00
tipc [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
unix [PATCH] struct path: convert unix 2006-12-08 08:28:50 -08:00
wanrouter [WANROUTER]: Kill kmalloc debugging code. 2006-12-07 00:18:22 -08:00
x25 [X.25]: Add missing sock_put in x25_receive_data 2007-01-23 20:25:48 -08:00
xfrm [IPSEC]: Policy list disorder 2007-01-23 20:25:51 -08:00
compat.c
Kconfig [NETFILTER]: remove the reference to ipchains from Kconfig 2006-12-02 21:31:35 -08:00
Makefile
nonet.c
socket.c [PATCH] struct path: convert net 2006-12-08 08:28:48 -08:00
sysctl_net.c
TUNABLE