From: Evgeniy Polyakov Date: Sun, 27 Apr 2008 22:27:30 +0000 (-0700) Subject: tcp: Fix slab corruption with ipv6 and tcp6fuzz X-Git-Tag: firefly_0821_release~20572^2~50 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=9ae27e0adbf471c7a6b80102e38e1d5a346b3b38;p=firefly-linux-kernel-4.4.55.git tcp: Fix slab corruption with ipv6 and tcp6fuzz From: Evgeniy Polyakov This fixes a regression added by ec3c0982a2dd1e671bad8e9d26c28dcba0039d87 ("[TCP]: TCP_DEFER_ACCEPT updates - process as established") tcp_v6_do_rcv()->tcp_rcv_established(), the latter goes to step5, where eventually skb can be freed via tcp_data_queue() (drop: label), then if check for tcp_defer_accept_check() returns true and thus tcp_rcv_established() returns -1, which forces tcp_v6_do_rcv() to jump to reset: label, which in turn will pass through discard: label and free the same skb again. Tested by Eric Sesterhenn. Signed-off-by: David S. Miller Acked-By: Patrick McManus --- diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ac9b8482f702..0298f80681f2 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4925,8 +4925,7 @@ step5: tcp_data_snd_check(sk); tcp_ack_snd_check(sk); - if (tcp_defer_accept_check(sk)) - return -1; + tcp_defer_accept_check(sk); return 0; csum_error: