linux/net/ipv4
Eric W. Biederman 381c759d99 ipv4: Avoid crashing in ip_error
ip_error does not check if in_dev is NULL before dereferencing it.

IThe following sequence of calls is possible:
CPU A                          CPU B
ip_rcv_finish
    ip_route_input_noref()
        ip_route_input_slow()
                               inetdev_destroy()
    dst_input()

With the result that a network device can be destroyed while processing
an input packet.

A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device.   The error condition
was created by the removal of the network device.

As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.

Therefore handle this weird case by just dropping the packet if
!in_dev.  It will result in dropping the packet sooner, and will not
result in an actual change of behavior.

Fixes: 251da41301 ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:23:40 -04:00
..
netfilter netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
af_inet.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ah4.c
arp.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
cipso_ipv4.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
datagram.c
devinet.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
esp4.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
fib_frontend.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-06 22:34:15 -04:00
fib_lookup.h
fib_rules.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
fib_semantics.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
fib_trie.c rename RTNH_F_EXTERNAL to RTNH_F_OFFLOAD 2015-05-14 22:45:39 -04:00
fou.c fou: avoid missing unlock in failure path 2015-04-16 12:11:19 -04:00
geneve.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-14 15:44:14 -04:00
gre_demux.c
gre_offload.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
icmp.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
igmp.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
inet_connection_sock.c inet: fix possible panic in reqsk_queue_unlink() 2015-04-24 11:39:15 -04:00
inet_diag.c tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
inet_fragment.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
inet_hashtables.c tcp/dccp: get rid of central timewait timer 2015-04-13 16:40:05 -04:00
inet_lro.c
inet_timewait_sock.c tcp/dccp: get rid of central timewait timer 2015-04-13 16:40:05 -04:00
inetpeer.c
ip_forward.c ip_forward: Drop frames with attached skb->sk 2015-04-20 14:07:33 -04:00
ip_fragment.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ip_gre.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ip_input.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
ip_options.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ip_output.c net: remove extra newlines 2015-04-07 22:24:37 -04:00
ip_sockglue.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ip_tunnel_core.c ipv4: ip_tunnel: use net namespace from rtable not socket 2015-04-08 12:09:42 -04:00
ip_tunnel.c udp_tunnel: Pass UDP socket down through udp_tunnel{, 6}_xmit_skb(). 2015-04-07 15:29:08 -04:00
ip_vti.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
ipcomp.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ipconfig.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ipip.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
ipmr.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
Kconfig
Makefile
netfilter.c netfilter: Use nf_hook_state in nf_queue_entry. 2015-04-04 12:25:22 -04:00
ping.c ipv4: Missing sk_nulls_node_init() in ping_unhash(). 2015-05-01 22:02:47 -04:00
proc.c tcp/dccp: get rid of central timewait timer 2015-04-13 16:40:05 -04:00
protocol.c
raw.c Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2015-04-13 18:18:05 -04:00
route.c ipv4: Avoid crashing in ip_error 2015-05-22 14:23:40 -04:00
syncookies.c tcp: fix ipv4 mapped request socks 2015-03-25 00:57:48 -04:00
sysctl_net_ipv4.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
tcp_bic.c
tcp_cong.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-03-20 18:51:09 -04:00
tcp_cubic.c
tcp_dctcp.c tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
tcp_diag.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
tcp_fastopen.c tcp: fix a potential deadlock in tcp_get_info() 2015-05-22 13:46:06 -04:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
tcp_input.c tcp: fix a potential deadlock in tcp_get_info() 2015-05-22 13:46:06 -04:00
tcp_ipv4.c inet: fix possible panic in reqsk_queue_unlink() 2015-04-24 11:39:15 -04:00
tcp_lp.c
tcp_memcontrol.c
tcp_metrics.c tcp: RFC7413 option support for Fast Open client 2015-04-07 18:36:39 -04:00
tcp_minisocks.c tcp/ipv6: fix flow label setting in TIME_WAIT state 2015-05-17 23:41:59 -04:00
tcp_offload.c
tcp_output.c tcp: avoid looping in tcp_send_fin() 2015-04-24 11:06:48 -04:00
tcp_probe.c
tcp_scalable.c
tcp_timer.c tcp: RFC7413 option support for Fast Open client 2015-04-07 18:36:39 -04:00
tcp_vegas.c tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
tcp_vegas.h tcp: prepare CC get_info() access from getsockopt() 2015-04-29 17:10:38 -04:00
tcp_veno.c
tcp_westwood.c tcp_westwood: fix tcp_westwood_info() 2015-05-05 19:50:09 -04:00
tcp_yeah.c
tcp.c tcp: fix a potential deadlock in tcp_get_info() 2015-05-22 13:46:06 -04:00
tunnel4.c
udp_diag.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
udp_impl.h
udp_offload.c ipv4: coding style: comparison for inequality with NULL 2015-04-03 12:11:15 -04:00
udp_tunnel.c udp_tunnel: Pass UDP socket down through udp_tunnel{, 6}_xmit_skb(). 2015-04-07 15:29:08 -04:00
udp.c net: remove extra newlines 2015-04-07 22:24:37 -04:00
udplite.c
xfrm4_input.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c ipv4: hash net ptr into fragmentation bucket selection 2015-03-25 14:07:04 -04:00
xfrm4_output.c netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
xfrm4_policy.c ipv4: coding style: comparison for equality with NULL 2015-04-03 12:11:15 -04:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c