WSL2-Linux-Kernel/net/ipv6
Xin Long e8d411d298 ipv6: do not set sk_destruct in IPV6_ADDRFORM sockopt
ChunYu found a kernel warn_on during syzkaller fuzzing:

[40226.038539] WARNING: CPU: 5 PID: 23720 at net/ipv4/af_inet.c:152 inet_sock_destruct+0x78d/0x9a0
[40226.144849] Call Trace:
[40226.147590]  <IRQ>
[40226.149859]  dump_stack+0xe2/0x186
[40226.176546]  __warn+0x1a4/0x1e0
[40226.180066]  warn_slowpath_null+0x31/0x40
[40226.184555]  inet_sock_destruct+0x78d/0x9a0
[40226.246355]  __sk_destruct+0xfa/0x8c0
[40226.290612]  rcu_process_callbacks+0xaa0/0x18a0
[40226.336816]  __do_softirq+0x241/0x75e
[40226.367758]  irq_exit+0x1f6/0x220
[40226.371458]  smp_apic_timer_interrupt+0x7b/0xa0
[40226.376507]  apic_timer_interrupt+0x93/0xa0

The warn_on happned when sk->sk_rmem_alloc wasn't 0 in inet_sock_destruct.
As after commit f970bd9e3a ("udp: implement memory accounting helpers"),
udp has changed to use udp_destruct_sock as sk_destruct where it would
udp_rmem_release all rmem.

But IPV6_ADDRFORM sockopt sets sk_destruct with inet_sock_destruct after
changing family to PF_INET. If rmem is not 0 at that time, and there is
no place to release rmem before calling inet_sock_destruct, the warn_on
will be triggered.

This patch is to fix it by not setting sk_destruct in IPV6_ADDRFORM sockopt
any more. As IPV6_ADDRFORM sockopt only works for tcp and udp. TCP sock has
already set it's sk_destruct with inet_sock_destruct and UDP has set with
udp_destruct_sock since they're created.

Fixes: f970bd9e3a ("udp: implement memory accounting helpers")
Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-29 10:54:40 -07:00
..
ila
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-06-30 06:27:09 -07:00
Kconfig
Makefile
addrconf.c ipv6: fix sparse warning on rt6i_node 2017-08-28 15:34:40 -07:00
addrconf_core.c
addrlabel.c net, ipv6: convert ip6addrlbl_entry.refcnt from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
af_inet6.c
ah6.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-06-23 14:17:31 -04:00
anycast.c net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
calipso.c net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
datagram.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
esp6.c esp: Fix skb tailroom calculation 2017-08-25 09:26:24 +02:00
esp6_offload.c esp: Fix error handling on layer 2 xmit. 2017-08-07 08:31:07 +02:00
exthdrs.c udp6: fix jumbogram reception 2017-07-31 22:01:21 -07:00
exthdrs_core.c
exthdrs_offload.c
fib6_rules.c ipv6: Do not leak throw route references 2017-06-20 15:34:02 -04:00
fou6.c
icmp.c
inet6_connection_sock.c
inet6_hashtables.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
ip6_checksum.c
ip6_fib.c ipv6: set dst.obsolete when a cached route has expired 2017-08-28 15:45:04 -07:00
ip6_flowlabel.c
ip6_gre.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ip6_icmp.c
ip6_input.c
ip6_offload.c
ip6_offload.h
ip6_output.c udp: consistently apply ufo or fragmentation 2017-08-10 09:52:12 -07:00
ip6_tunnel.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ip6_udp_tunnel.c
ip6_vti.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ip6mr.c ip6mr: add netlink notifications on mrt6msg cache reports 2017-06-21 11:22:53 -04:00
ipcomp6.c
ipv6_sockglue.c ipv6: do not set sk_destruct in IPV6_ADDRFORM sockopt 2017-08-29 10:54:40 -07:00
mcast.c net, ipv6: convert ifmcaddr6.mca_refcnt from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
mcast_snoop.c
mip6.c
ndisc.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
netfilter.c
output_core.c ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() 2017-08-22 10:23:26 -07:00
ping.c
proc.c
protocol.c
raw.c
reassembly.c
route.c ipv6: set dst.obsolete when a cached route has expired 2017-08-28 15:45:04 -07:00
seg6.c
seg6_hmac.c
seg6_iptunnel.c
sit.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
syncookies.c ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() 2017-07-18 11:22:51 -07:00
sysctl_net_ipv6.c
tcp_ipv6.c tcp: fix possible deadlock in TCP stack vs BPF filter 2017-08-14 22:31:27 -07:00
tcpv6_offload.c
tunnel6.c
udp.c udp6: set rx_dst_cookie on rx_dst updates 2017-08-25 20:09:13 -07:00
udp_impl.h
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2017-08-08 21:39:01 -07:00
udplite.c
xfrm6_input.c xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish 2017-06-22 10:49:14 +02:00
xfrm6_mode_beet.c networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c net, ipv6: convert xfrm6_tunnel_spi.refcnt from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00