linux/net
Eric W. Biederman 381c759d99 ipv4: Avoid crashing in ip_error
ip_error does not check if in_dev is NULL before dereferencing it.

IThe following sequence of calls is possible:
CPU A                          CPU B
ip_rcv_finish
    ip_route_input_noref()
        ip_route_input_slow()
                               inetdev_destroy()
    dst_input()

With the result that a network device can be destroyed while processing
an input packet.

A crash was triggered with only unicast packets in flight, and
forwarding enabled on the only network device.   The error condition
was created by the removal of the network device.

As such it is likely the that error code was -EHOSTUNREACH, and the
action taken by ip_error (if in_dev had been accessible) would have
been to not increment any counters and to have tried and likely failed
to send an icmp error as the network device is going away.

Therefore handle this weird case by just dropping the packet if
!in_dev.  It will result in dropping the packet sooner, and will not
result in an actual change of behavior.

Fixes: 251da41301 ("ipv4: Cache ip_error() routes even when not forwarding.")
Reported-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Tested-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22 14:23:40 -04:00
..
6lowpan
9p 9p: patches for 4.1 merge window 2015-04-18 17:45:30 -04:00
802
8021q vlan: Correctly propagate promisc|allmulti flags in notifier. 2015-05-14 00:54:32 -04:00
appletalk
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-04-15 09:00:47 -07:00
ax25 ax25: Fix the build when CONFIG_INET is disabled 2015-03-05 13:17:39 -05:00
batman-adv dev: introduce dev_get_iflink() 2015-04-02 14:04:59 -04:00
bluetooth Bluetooth: Fix remote name event return directly. 2015-05-14 10:35:04 +02:00
bridge bridge/nl: remove wrong use of NLM_F_MULTI 2015-04-29 14:59:16 -04:00
caif Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-03-20 18:51:09 -04:00
can can: introduce new raw socket option to join the given CAN filters 2015-04-01 11:28:22 +02:00
ceph crush: straw2 bucket type with an efficient 64-bit crush_ln() 2015-04-22 18:33:43 +03:00
core rtnl/bond: don't send rtnl msg for unregistered iface 2015-05-17 22:43:07 -04:00
dcb net/dcb: Add IEEE QCN attribute 2015-03-06 21:50:02 -05:00
dccp inet: fix possible panic in reqsk_queue_unlink() 2015-04-24 11:39:15 -04:00
decnet netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
dns_resolver
dsa net: dsa: Fix scope of eeprom-length property 2015-04-29 15:35:04 -04:00
ethernet
hsr
ieee802154 ieee802154: trace: fix endian convertion 2015-04-30 18:48:11 +02:00
ipv4 ipv4: Avoid crashing in ip_error 2015-05-22 14:23:40 -04:00
ipv6 ipv6: fix ECMP route replacement 2015-05-20 12:02:26 -04:00
ipx
irda Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-03-09 23:38:02 -04:00
iucv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-02 16:16:53 -04:00
key xfrm: simplify xfrm_address_t use 2015-03-31 13:58:35 -04:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-06 22:34:15 -04:00
lapb
llc
mac80211 mac80211: move WEP tailroom size check 2015-05-11 14:51:29 +02:00
mac802154 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 2015-05-09 15:51:00 -04:00
mpls mpls: Change reserved label names to be consistent with netbsd 2015-05-09 22:29:50 -04:00
netfilter netfilter: nf_tables: fix bogus warning in nft_data_uninit() 2015-05-15 22:07:30 +02:00
netlabel netlink: implement nla_put_in_addr and nla_put_in6_addr 2015-03-31 13:58:35 -04:00
netlink netlink: Reset portid after netlink_insert failure 2015-05-16 17:08:57 -04:00
netrom
nfc nfc: Fix portid type in urelease_work 2015-04-13 16:35:16 -04:00
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-04-15 09:00:47 -07:00
packet af_packet / TX_RING not fully non-blocking (w/ MSG_DONTWAIT). 2015-05-10 19:40:08 -04:00
phonet
rds net/rds: RDS-TCP: only initiate reconnect attempt on outgoing TCP socket. 2015-05-09 16:03:28 -04:00
rfkill
rose
rxrpc new helper: msg_data_left() 2015-04-11 15:53:35 -04:00
sched net: sched: fix call_rcu() race on classifier module unloads 2015-05-21 18:48:18 -04:00
sctp sctp: avoid to repeatedly declare external variables 2015-03-25 11:40:16 -04:00
sunrpc svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures 2015-05-04 12:02:40 -04:00
switchdev rename RTNH_F_EXTERNAL to RTNH_F_OFFLOAD 2015-05-14 22:45:39 -04:00
tipc tipc: fix problem with parallel link synchronization mechanism 2015-04-29 15:08:59 -04:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-27 14:05:19 -07:00
vmw_vsock
wimax
wireless cfg80211: don't allow disabling WEXT if it's required 2015-04-08 09:19:29 +02:00
x25
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-04-14 15:44:14 -04:00
compat.c net: switch importing msghdr from userland to {compat_,}import_iovec() 2015-04-09 00:02:26 -04:00
Kconfig
Makefile mpls: Refactor how the mpls module is built 2015-03-04 00:26:06 -05:00
socket.c VFS: net/: d_inode() annotations 2015-04-15 15:06:56 -04:00
sysctl_net.c