From: Arnaldo Carvalho de Melo Date: Thu, 5 May 2005 20:35:15 +0000 (-0700) Subject: [IPV6]: Fix OOPS when using IPV6_ADDRFORM X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=476e19cfa131e2b6eedc4017b627cdc4ca419ffb;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [IPV6]: Fix OOPS when using IPV6_ADDRFORM This causes sk->sk_prot to change, which makes the socket release free the sock into the wrong SLAB cache. Fix this by introducing sk_prot_creator so that we always remember where the sock came from. Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller --- diff --git a/include/net/sock.h b/include/net/sock.h index cc4c9190b7fd..77f02f86346e 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -141,6 +141,7 @@ struct sock_common { * @sk_callback_lock: used with the callbacks in the end of this struct * @sk_error_queue: rarely used * @sk_prot: protocol handlers inside a network family + * @sk_prot_creator: sk_prot of original sock creator (see ipv6_setsockopt, IPV6_ADDRFORM for instance) * @sk_err: last error * @sk_err_soft: errors that don't cause failure but are the cause of a persistent failure not just 'timed out' * @sk_ack_backlog: current listen backlog @@ -218,6 +219,7 @@ struct sock { } sk_backlog; struct sk_buff_head sk_error_queue; struct proto *sk_prot; + struct proto *sk_prot_creator; rwlock_t sk_callback_lock; int sk_err, sk_err_soft; diff --git a/net/core/sock.c b/net/core/sock.c index 98171ddd7e7d..92c0676e4708 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -635,7 +635,11 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it) if (zero_it) { memset(sk, 0, prot->obj_size); sk->sk_family = family; - sk->sk_prot = prot; + /* + * See comment in struct sock definition to understand + * why we need sk_prot_creator -acme + */ + sk->sk_prot = sk->sk_prot_creator = prot; sock_lock_init(sk); } @@ -654,7 +658,7 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it) void sk_free(struct sock *sk) { struct sk_filter *filter; - struct module *owner = sk->sk_prot->owner; + struct module *owner = sk->sk_prot_creator->owner; if (sk->sk_destruct) sk->sk_destruct(sk); @@ -672,8 +676,8 @@ void sk_free(struct sock *sk) __FUNCTION__, atomic_read(&sk->sk_omem_alloc)); security_sk_free(sk); - if (sk->sk_prot->slab != NULL) - kmem_cache_free(sk->sk_prot->slab, sk); + if (sk->sk_prot_creator->slab != NULL) + kmem_cache_free(sk->sk_prot_creator->slab, sk); else kfree(sk); module_put(owner);