linux/net/ipv4
Eric Dumazet 97599dc792 net: drop dst before queueing fragments
Commit 4a94445c9a (net: Use ip_route_input_noref() in input path)
added a bug in IP defragmentation handling, as non refcounted
dst could escape an RCU protected section.

Commit 64f3b9e203 (net: ip_expire() must revalidate route) fixed
the case of timeouts, but not the general problem.

Tom Parkin noticed crashes in UDP stack and provided a patch,
but further analysis permitted us to pinpoint the root cause.

Before queueing a packet into a frag list, we must drop its dst,
as this dst has limited lifetime (RCU protected)

When/if a packet is finally reassembled, we use the dst of the very
last skb, still protected by RCU and valid, as the dst of the
reassembled packet.

Use same logic in IPv6, as there is no need to hold dst references.

Reported-by: Tom Parkin <tparkin@katalix.com>
Tested-by: Tom Parkin <tparkin@katalix.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-04-17 01:15:29 -04:00
..
netfilter netfilter: remove unused "config IP_NF_QUEUE" 2013-03-20 00:11:43 +01:00
af_inet.c ipv4: Fix ip-header identification for gso packets. 2013-03-26 13:50:05 -04:00
ah4.c net: Add skb_unclone() helper function. 2013-02-15 15:10:37 -05:00
arp.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
cipso_ipv4.c
datagram.c ipv4: Add a socket release callback for datagram sockets 2013-01-21 14:17:05 -05:00
devinet.c net: ipv4: fix schedule while atomic bug in check_lifetime() 2013-04-08 12:04:51 -04:00
esp4.c esp4: fix error return code in esp_output() 2013-04-15 14:05:34 -04:00
fib_frontend.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
fib_lookup.h
fib_rules.c sections: fix section conflicts in net 2012-10-06 03:04:45 +09:00
fib_semantics.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
fib_trie.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
gre.c v4 GRE: Add TCP segmentation offload for GRE 2013-02-15 15:17:11 -05:00
icmp.c ipv4: fix error handling in icmp_protocol. 2013-02-22 15:10:18 -05:00
igmp.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
inet_connection_sock.c Fix: sparse warning in inet_csk_prepare_forced_close 2013-03-07 16:31:29 -05:00
inet_diag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2012-12-12 18:07:07 -08:00
inet_fragment.c inet: limit length of fragment queue hash table bucket lists 2013-03-19 10:28:36 -04:00
inet_hashtables.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
inet_lro.c
inet_timewait_sock.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
inetpeer.c Merge branch 'for-3.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq 2012-10-02 09:54:49 -07:00
ip_forward.c ipv4: introduce rt_uses_gateway 2012-10-08 17:42:36 -04:00
ip_fragment.c net: drop dst before queueing fragments 2013-04-17 01:15:29 -04:00
ip_gre.c Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally" 2013-03-16 23:00:41 -04:00
ip_input.c ipv[4|6]: correct dropwatch false positive in local_deliver_finish 2013-03-01 15:56:29 -05:00
ip_options.c net/ipv4: Ensure that location of timestamp option is stored 2013-03-12 05:35:39 -04:00
ip_output.c net: Fix possible wrong checksum generation. 2013-02-13 13:30:10 -05:00
ip_sockglue.c net: prevent setting ttl=0 via IP_TTL 2013-01-08 17:57:10 -08:00
ip_vti.c net: Allow userns root to control ipv4 2012-11-18 20:32:45 -05:00
ipcomp.c ipcomp: Mark as netns_ok. 2013-02-04 15:46:15 -05:00
ipconfig.c ipconfig: Fix newline handling in log message. 2013-03-20 12:15:58 -04:00
ipip.c net: fix possible wrong checksum generation 2013-01-28 00:27:15 -05:00
ipmr.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
Kconfig net/ipv4: remove depends on CONFIG_EXPERIMENTAL 2013-01-11 11:40:00 -08:00
Makefile
netfilter.c netfilter: properly annotate ipv4_netfilter_{init,fini}() 2012-09-03 13:56:04 +02:00
ping.c ipv4: fix a bug in ping_err(). 2013-02-21 15:25:00 -05:00
proc.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
protocol.c ipv4: Disallow non-namespace aware protocols to register. 2013-02-05 14:42:23 -05:00
raw.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
route.c net: ipv4: fix waring -Wunused-variable 2013-02-19 13:18:13 -05:00
syncookies.c tcp: incoming connections might use wrong route under synflood 2013-04-11 16:01:46 -04:00
sysctl_net_ipv4.c tcp: remove Appropriate Byte Count support 2013-02-05 14:51:16 -05:00
tcp_bic.c
tcp_cong.c tcp: remove Appropriate Byte Count support 2013-02-05 14:51:16 -05:00
tcp_cubic.c
tcp_diag.c
tcp_fastopen.c
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c net: fix divide by zero in tcp algorithm illinois 2012-11-01 11:55:59 -04:00
tcp_input.c tcp: undo spurious timeout after SACK reneging 2013-03-24 17:27:28 -04:00
tcp_ipv4.c tcp: dont handle MTU reduction on LISTEN socket 2013-03-18 13:31:28 -04:00
tcp_lp.c
tcp_memcontrol.c
tcp_metrics.c tcp: handle tcp_net_metrics_init() order-5 memory allocation failures 2012-11-16 13:36:27 -05:00
tcp_minisocks.c tcp: send packets with a socket timestamp 2013-02-13 13:22:16 -05:00
tcp_output.c tcp: Reallocate headroom if it would overflow csum_start 2013-04-11 18:12:41 -04:00
tcp_probe.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
tcp_scalable.c
tcp_timer.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-11-10 18:32:51 -05:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tcp.c tcp: fix skb_availroom() 2013-03-14 11:49:45 -04:00
tunnel4.c
udp_diag.c netlink: Rename pid to portid to avoid confusion 2012-09-10 15:30:41 -04:00
udp_impl.h
udp.c udp: add encap_destroy callback 2013-03-20 12:10:38 -04:00
udplite.c
xfrm4_input.c net: Add skb_unclone() helper function. 2013-02-15 15:10:37 -05:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c ip: fix warning in xfrm4_mode_tunnel_input 2013-02-18 12:42:48 -05:00
xfrm4_output.c
xfrm4_policy.c xfrm: make gc_thresh configurable in all namespaces 2013-02-06 11:36:29 +01:00
xfrm4_state.c
xfrm4_tunnel.c