linux/net/ipv6
Patrick McHardy 9d7b0fc1ef net: ipv6: fix oops in inet_putpeer()
Commit 97bab73f (inet: Hide route peer accesses behind helpers.) introduced
a bug in xfrm6_policy_destroy(). The xfrm_dst's _rt6i_peer member is not
initialized, causing a false positive result from inetpeer_ptr_is_peer(),
which in turn causes a NULL pointer dereference in inet_putpeer().

Pid: 314, comm: kworker/0:1 Not tainted 3.6.0-rc1+ #17 To Be Filled By O.E.M. To Be Filled By O.E.M./P4S800D-X
EIP: 0060:[<c03abf93>] EFLAGS: 00010246 CPU: 0
EIP is at inet_putpeer+0xe/0x16
EAX: 00000000 EBX: f3481700 ECX: 00000000 EDX: 000dd641
ESI: f3481700 EDI: c05e949c EBP: f551def4 ESP: f551def4
 DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
CR0: 8005003b CR2: 00000070 CR3: 3243d000 CR4: 00000750
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: ffff0ff0 DR7: 00000400
 f551df04 c0423de1 00000000 f3481700 f551df18 c038d5f7 f254b9f8 f551df28
 f34f85d8 f551df20 c03ef48d f551df3c c0396870 f30697e8 f24e1738 c05e98f4
 f5509540 c05cd2b4 f551df7c c0142d2b c043feb5 f5509540 00000000 c05cd2e8
 [<c0423de1>] xfrm6_dst_destroy+0x42/0xdb
 [<c038d5f7>] dst_destroy+0x1d/0xa4
 [<c03ef48d>] xfrm_bundle_flo_delete+0x2b/0x36
 [<c0396870>] flow_cache_gc_task+0x85/0x9f
 [<c0142d2b>] process_one_work+0x122/0x441
 [<c043feb5>] ? apic_timer_interrupt+0x31/0x38
 [<c03967eb>] ? flow_cache_new_hashrnd+0x2b/0x2b
 [<c0143e2d>] worker_thread+0x113/0x3cc

Fix by adding a init_dst() callback to struct xfrm_policy_afinfo to
properly initialize the dst's peer pointer.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-08-20 02:56:56 -07:00
..
netfilter netfilter: nf_conntrack: generalize nf_ct_l4proto_net 2012-07-04 19:37:22 +02:00
addrconf_core.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
addrconf.c ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side lock 2012-08-14 17:02:12 -07:00
addrlabel.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
af_inet6.c ipv6: bool conversions phase1 2012-05-18 02:24:13 -04:00
ah6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
anycast.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
datagram.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
esp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
exthdrs_core.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
exthdrs.c net: Remove casts to same type 2012-06-04 11:45:11 -04:00
fib6_rules.c net/ipv6/fib6_rules.c: Checkpatch cleanup 2012-04-02 04:33:46 -04:00
icmp.c ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect(). 2012-07-12 00:33:37 -07:00
inet6_connection_sock.c ipv6: fix inet6_csk_xmit() 2012-07-18 08:59:58 -07:00
inet6_hashtables.c net: Compute protocol sequence numbers and fragment IDs using MD5. 2011-08-06 18:33:19 -07:00
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-06-25 15:50:32 -07:00
ip6_flowlabel.c ipv6: bool/const conversions phase2 2012-05-19 01:08:16 -04:00
ip6_input.c net: TCP early demux cleanup 2012-07-30 14:53:21 -07:00
ip6_output.c inet: Minimize use of cached route inetpeer. 2012-07-10 22:40:11 -07:00
ip6_tunnel.c ipv6: add ipv6_addr_hash() helper 2012-07-18 11:28:46 -07:00
ip6mr.c ip6mr: Do not use RTA_PUT() macros 2012-06-27 15:36:44 -07:00
ipcomp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
ipv6_sockglue.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
Kconfig xfrm: make xfrm_algo.c a module 2012-05-15 13:13:34 -04:00
Makefile
mcast.c ipv6: fix unappropriate errno returned for non-multicast address 2012-07-17 01:35:03 -07:00
mip6.c ipv6: correct the ipv6 option name - Pad0 to Pad1 2012-05-17 15:49:51 -04:00
ndisc.c ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect(). 2012-07-12 00:33:37 -07:00
netfilter.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
proc.c net: ipv6: proc: Fix error handling 2012-08-14 14:45:07 -07:00
protocol.c inet: Sanitize inet{,6} protocol demux. 2012-06-19 18:56:21 -07:00
raw.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
reassembly.c ipv6: use skb coalescing in reassembly 2012-05-19 18:34:57 -04:00
route.c ipv6: fix incorrect route 'expires' value passed to userspace 2012-07-29 23:18:31 -07:00
sit.c net: Pass optional SKB and SK arguments to dst_ops->{update_pmtu,redirect}() 2012-07-17 03:29:28 -07:00
syncookies.c net-tcp: Fast Open base 2012-07-19 10:55:36 -07:00
sysctl_net_ipv6.c net: Delete all remaining instances of ctl_path 2012-04-20 21:22:30 -04:00
tcp_ipv6.c net: tcp: ipv6_mapped needs sk_rx_dst_set method 2012-08-09 20:56:09 -07:00
tunnel6.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
udp_impl.h
udp.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
udplite.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
xfrm6_input.c
xfrm6_mode_beet.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_output.c xfrm6: remove unneeded NULL check in __xfrm6_output() 2012-02-01 02:52:48 -05:00
xfrm6_policy.c net: ipv6: fix oops in inet_putpeer() 2012-08-20 02:56:56 -07:00
xfrm6_state.c net: remove ipv6_addr_copy() 2011-11-22 16:43:32 -05:00
xfrm6_tunnel.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00