mirror of
https://github.com/torvalds/linux.git
synced 2026-06-30 01:55:39 +02:00
fb7e2399ec
I encountered a kernel panic with my test program, which is a very simple IPv6 client-server program. The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server. (If you need the test program, please let me know. I can provide it.) This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, then tcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb(). However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic. I suggest to use kfree_skb() instead of __kfree_skb(). Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| 802 | ||
| 8021q | ||
| appletalk | ||
| atm | ||
| ax25 | ||
| bluetooth | ||
| bridge | ||
| core | ||
| dccp | ||
| decnet | ||
| econet | ||
| ethernet | ||
| ieee80211 | ||
| ipv4 | ||
| ipv6 | ||
| ipx | ||
| irda | ||
| key | ||
| lapb | ||
| llc | ||
| netfilter | ||
| netlabel | ||
| netlink | ||
| netrom | ||
| packet | ||
| rose | ||
| rxrpc | ||
| sched | ||
| sctp | ||
| sunrpc | ||
| tipc | ||
| unix | ||
| wanrouter | ||
| x25 | ||
| xfrm | ||
| compat.c | ||
| Kconfig | ||
| Makefile | ||
| nonet.c | ||
| socket.c | ||
| sysctl_net.c | ||
| TUNABLE | ||