From patchwork Thu Dec 20 13:20:10 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Herbert Xu <herbert@gondor.apana.org.au>
X-Patchwork-Id: 1016769
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=gondor.apana.org.au
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 43LC6p1dFCz9sCh
	for <patchwork-incoming-netdev@ozlabs.org>;
	Fri, 21 Dec 2018 00:20:18 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1733042AbeLTNUR (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Thu, 20 Dec 2018 08:20:17 -0500
Received: from orcrist.hmeau.com ([104.223.48.154]:36654 "EHLO
	deadmen.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1732391AbeLTNUQ (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 20 Dec 2018 08:20:16 -0500
Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4]
	helo=gondobar)
	by deadmen.hmeau.com with esmtps (Exim 4.89 #2 (Debian))
	id 1gZyFL-0006M3-3w; Thu, 20 Dec 2018 21:20:15 +0800
Received: from herbert by gondobar with local (Exim 4.89)
	(envelope-from <herbert@gondor.apana.org.au>)
	id 1gZyFG-0008FW-H5; Thu, 20 Dec 2018 21:20:10 +0800
Date: Thu, 20 Dec 2018 21:20:10 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org, Xiumei Mu <xmu@redhat.com>,
	Eric Dumazet <edumazet@google.com>
Subject: [PATCH] ipv6: frags: Fix bogus skb->sk in reassembled packets
Message-ID: <20181220132010.ltpc4yga5st7zwyu@gondor.apana.org.au>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

It was reported that IPsec would crash when it encounters an IPv6
reassembled packet because skb->sk is non-zero and not a valid
pointer.

This is because skb->sk is now a union with ip_defrag_offset.

This patch fixes this by resetting skb->sk when exiting from
the reassembly code.

Reported-by: Xiumei Mu <xmu@redhat.com>
Fixes: 219badfaade9 ("ipv6: frags: get rid of ip6frag_skb_cb/...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 5c3c92713096..a98f95fb6eac 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -378,6 +378,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
 		if (skb_try_coalesce(head, fp, &headstolen, &delta)) {
 			kfree_skb_partial(fp, headstolen);
 		} else {
+			fp->sk = NULL;
 			if (!skb_shinfo(head)->frag_list)
 				skb_shinfo(head)->frag_list = fp;
 			head->data_len += fp->len;