2018-09-07 3:23 GMT+09:00 Eric Dumazet <eduma...@google.com>: > On Thu, Sep 6, 2018 at 11:06 AM Eric Dumazet <eduma...@google.com> wrote: >> >> On Thu, Sep 6, 2018 at 10:51 AM Taehee Yoo <ap420...@gmail.com> wrote: >> > >> > A kernel crash occurrs when defragmented packet is fragmented >> > in ip_do_fragment(). >> > In defragment routine, skb_orphan() is called and >> > skb->ip_defrag_offset is set. but skb->sk and >> > skb->ip_defrag_offset are same union member. so that >> > frag->sk is not NULL. >> > Hence crash occurrs in skb->sk check routine in ip_do_fragment() when >> > defragmented packet is fragmented. >> >> Have you tested this patch ? >> >> Moving back ip_defrag_offset is conflicting with the rbnode ! >> >> A more correct fix would be to properly clear skb->sk at reassembly. > > Something like that : > > diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c > index > 88281fbce88ce8f1062b99594665766c2a5f5b74..e7227128df2c8fd54727c234f76043133809bd1e > 100644 > --- a/net/ipv4/ip_fragment.c > +++ b/net/ipv4/ip_fragment.c > @@ -599,6 +599,7 @@ static int ip_frag_reasm(struct ipq *qp, struct > sk_buff *skb, > nextp = &fp->next; > fp->prev = NULL; > memset(&fp->rbnode, 0, sizeof(fp->rbnode)); > + fp->sk = NULL; > head->data_len += fp->len; > head->len += fp->len; > if (head->ip_summed != fp->ip_summed)
Hi Eric! Oh I'm sorry, I realized that ip_defrag_offset would be conflicting with the rbnode just now So, this patch should be dropped. And I will make v2 patch regard you suggested! Thank you for review and suggestion!
