On Thu, Sep 6, 2018 at 10:51 AM Taehee Yoo <ap420...@gmail.com> wrote: > > A kernel crash occurrs when defragmented packet is fragmented > in ip_do_fragment(). > In defragment routine, skb_orphan() is called and > skb->ip_defrag_offset is set. but skb->sk and > skb->ip_defrag_offset are same union member. so that > frag->sk is not NULL. > Hence crash occurrs in skb->sk check routine in ip_do_fragment() when > defragmented packet is fragmented.
Have you tested this patch ? Moving back ip_defrag_offset is conflicting with the rbnode ! A more correct fix would be to properly clear skb->sk at reassembly.
