From patchwork Tue Sep 30 16:29:11 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Denis V. Lunev" <den@openvz.org>
X-Patchwork-Id: 2110
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 9672ADE5E3
	for <patchwork-incoming@ozlabs.org>;
	Wed,  1 Oct 2008 02:29:28 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752787AbYI3Q3K (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 30 Sep 2008 12:29:10 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752938AbYI3Q3J
	(ORCPT <rfc822; netdev-outgoing>); Tue, 30 Sep 2008 12:29:09 -0400
Received: from mailhub.sw.ru ([195.214.232.25]:31777 "EHLO relay.sw.ru"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752208AbYI3Q3I (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 30 Sep 2008 12:29:08 -0400
Received: from iris.sw.ru (ppp91-78-89-101.pppoe.mtu-net.ru [91.78.89.101])
	(authenticated bits=0)
	by relay.sw.ru (8.13.4/8.13.4) with ESMTP id m8UGSxs7014843
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 30 Sep 2008 20:29:00 +0400 (MSD)
Received: from den by iris.sw.ru with local (Exim 4.69)
	(envelope-from <den@sw.ru>)
	id 1Kki63-00035j-OI; Tue, 30 Sep 2008 20:29:11 +0400
From: "Denis V. Lunev" <den@openvz.org>
To: davem@davemloft.net
Cc: xemul@openvz.org, vgusev@openvz.org, netdev@vger.kernel.org,
	"Denis V. Lunev" <den@openvz.org>
Subject: [PATCH net-2.6] ip: NULL pointer dereferrence in tcp_v(4|6)_send_ack
Date: Tue, 30 Sep 2008 20:29:11 +0400
Message-Id: <1222792151-11861-1-git-send-email-den@openvz.org>
X-Mailer: git-send-email 1.5.6.4
In-Reply-To: <200809302013.30051.vgusev@openvz.org>
References: <200809302013.30051.vgusev@openvz.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The following actions are possible:
tcp_v4_rcv
  skb->dev = NULL;
  tcp_v4_do_rcv
    tcp_v4_hnd_req
      tcp_check_req
        req->rsk_ops->send_ack == tcp_v4_send_ack

So, skb->dev can be NULL in tcp_v4_send_ack. We must obtain namespace
from dst entry. IPv6 codepath is similar.

Thanks to Vitaliy Gusev <vgusev@openvz.org> for initial oops decoding.

Signed-off-by: Denis V. Lunev <den@openvz.org>
---
 net/ipv4/tcp_ipv4.c |    2 +-
 net/ipv6/tcp_ipv6.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1b4fee2..011478e 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -618,7 +618,7 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
 			];
 	} rep;
 	struct ip_reply_arg arg;
-	struct net *net = dev_net(skb->dev);
+	struct net *net = dev_net(skb->dst->dev);
 
 	memset(&rep.th, 0, sizeof(struct tcphdr));
 	memset(&arg, 0, sizeof(arg));
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index b585c85..10e22fd 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1050,7 +1050,7 @@ static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32
 	struct tcphdr *th = tcp_hdr(skb), *t1;
 	struct sk_buff *buff;
 	struct flowi fl;
-	struct net *net = dev_net(skb->dev);
+	struct net *net = dev_net(skb->dst->dev);
 	struct sock *ctl_sk = net->ipv6.tcp_sk;
 	unsigned int tot_len = sizeof(struct tcphdr);
 	__be32 *topt;