From patchwork Thu Feb 16 16:22:46 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Konovalov <andreyknvl@google.com>
X-Patchwork-Id: 728808
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vPLzy56hSz9s8S
	for <patchwork-incoming@ozlabs.org>;
	Fri, 17 Feb 2017 03:23:10 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="AaCKYBjl"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932775AbdBPQXE (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 16 Feb 2017 11:23:04 -0500
Received: from mail-wm0-f49.google.com ([74.125.82.49]:34903 "EHLO
	mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932316AbdBPQXC (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 16 Feb 2017 11:23:02 -0500
Received: by mail-wm0-f49.google.com with SMTP id v186so70591861wmd.0
	for <netdev@vger.kernel.org>; Thu, 16 Feb 2017 08:23:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=XIQdkmX7i7QtwTbDAiGJ17SwLa1+otLRRAVPneSUIgQ=;
	b=AaCKYBjlWassaSQ/qpVuPCG1f7kdGgFR3SaPoyJP5sW67NKsu3docMlstyP1l9PdXV
	MF1x7M4Q/kiRM93WBwQGrz1kjMfSH8mLYCFqlcwMxtT0TfYNQQwLBnAbMYKjva0JKZqN
	PMitd8gFhTs7jgDj74O5b3OPu5dparM83hd3Uwld31l5sYdg7vF19fDTj9AFU+iQ0kUL
	I+WlMTg3so5/yagjRPyFvZOdpGwEdLVha6yz2zl5gy8qISPpHRcTa2/vKUYQY7P2XfFj
	z8fAtRKm5IShHiqL4eD4RYVXqrwADTguW7cWQLcYx4Uslj+t4fcOFimUJ8cBgbE7zlqd
	BJ0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=XIQdkmX7i7QtwTbDAiGJ17SwLa1+otLRRAVPneSUIgQ=;
	b=ovHQjrcIl1ZhTlKMFpamd6PL4c4EvmGkyks+g0J86fiKr9g0/miQGpfuz+R1ZI1FMT
	YEirVMTmPj0uJxfsKITkhJqdEZlqe0cE9VAxxUWmpU0JJOVYRj9QrHeXmFpEU1AKHNVv
	YYCldkC3SJKhKet+PowfSaWKzCbVsbh2mZtYl/O0VkqGqJbN+FXMV+47jhp/mxLS8HDn
	aUJ4zSBmh1BMEHeIoO+rqBDpRWctUd0m1ah+mTvpWUc6IhwSVceslLkLZqb4tWlnBOYP
	QxrCRyoEXMyGFv0GPverLhMl9VPZJwUzBlxAOLUL2ePL/paKOqCBlPQAJLQmOhC0Mmlv
	N+Pw==
X-Gm-Message-State: 
 AMke39kSu5u4Vz0dXH7rk/mi8fl/nhdveo4MtjLgW5JlFDL8u1LHoImZapdq2NMZ7zzjoS8N
X-Received: by 10.28.8.130 with SMTP id 124mr12590452wmi.65.1487262180973;
	Thu, 16 Feb 2017 08:23:00 -0800 (PST)
Received: from andreyknvl0.muc.corp.google.com
	([2a00:79e0:15:2:5071:a3ef:89b7:bc0c])
	by smtp.gmail.com with ESMTPSA id
	i15sm844930wmf.21.2017.02.16.08.22.59
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 16 Feb 2017 08:22:59 -0800 (PST)
Received: by andreyknvl0.muc.corp.google.com (Postfix, from userid 206546)
	id 2C4A7180068; Thu, 16 Feb 2017 17:22:59 +0100 (CET)
From: Andrey Konovalov <andreyknvl@google.com>
To: "David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	Gerrit Renker <gerrit@erg.abdn.ac.uk>,
	Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>,
	Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO
Date: Thu, 16 Feb 2017 17:22:46 +0100
Message-Id: <20170216162246.12783-1-andreyknvl@google.com>
X-Mailer: git-send-email 2.11.0.483.g087da7b7c-goog
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.

However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.

Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.

Similar fixes for TCP:

fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
---
 net/dccp/input.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/dccp/input.c b/net/dccp/input.c
index ba347184bda9..8fedc2d49770 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
 								    skb) < 0)
 				return 1;
-			goto discard;
+			consume_skb(skb);
+			return 0;
 		}
 		if (dh->dccph_type == DCCP_PKT_RESET)
 			goto discard;