[IPV6]: Fix OOPS when using IPV6_ADDRFORM

This causes sk->sk_prot to change, which makes the socket release free the sock into the wrong SLAB cache. Fix this by introducing sk_prot_creator so that we always remember where the sock came from. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>

[IPV6]: Fix OOPS when using IPV6_ADDRFORM
This causes sk->sk_prot to change, which makes the socket release free the sock into the wrong SLAB cache. Fix this by introducing sk_prot_creator so that we always remember where the sock came from. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
476e19cf · Arnaldo Carvalho de Melo · David S. Miller · 25ae3f59 · 476e19cf · 476e19cf
Commit 476e19cf authored May 05, 2005 by Arnaldo Carvalho de Melo Committed by David S. Miller May 05, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

include/net/sock.h include/net/sock.h +2 -0

net/core/sock.c net/core/sock.c +8 -4

No files found.
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -141,6 +141,7 @@ struct sock_common {
  *	@sk_callback_lock: used with the callbacks in the end of this struct
  *	@sk_error_queue: rarely used
  *	@sk_prot: protocol handlers inside a network family
+  *	@sk_prot_creator: sk_prot of original sock creator (see ipv6_setsockopt, IPV6_ADDRFORM for instance)
  *	@sk_err: last error
  *	@sk_err_soft: errors that don't cause failure but are the cause of a persistent failure not just 'timed out'
  *	@sk_ack_backlog: current listen backlog
@@ -218,6 +219,7 @@ struct sock {
 	} sk_backlog;
 	struct sk_buff_head	sk_error_queue;
 	struct proto		*sk_prot;
+	struct proto		*sk_prot_creator;
 	rwlock_t		sk_callback_lock;
 	int			sk_err,
 				sk_err_soft;

--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -635,7 +635,11 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
 		if (zero_it) {
 			memset(sk, 0, prot->obj_size);
 			sk->sk_family = family;
-			sk->sk_prot = prot;
+			/*
+			 * See comment in struct sock definition to understand
+			 * why we need sk_prot_creator -acme
+			 */
+			sk->sk_prot = sk->sk_prot_creator = prot;
 			sock_lock_init(sk);
 		}
@@ -654,7 +658,7 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
 void sk_free(struct sock *sk)
 {
 	struct sk_filter *filter;
-	struct module *owner = sk->sk_prot->owner;
+	struct module *owner = sk->sk_prot_creator->owner;
 	if (sk->sk_destruct)
 		sk->sk_destruct(sk);
@@ -672,8 +676,8 @@ void sk_free(struct sock *sk)
 		       __FUNCTION__, atomic_read(&sk->sk_omem_alloc));
 	security_sk_free(sk);
-	if (sk->sk_prot->slab != NULL)
+	if (sk->sk_prot_creator->slab != NULL)
-		kmem_cache_free(sk->sk_prot->slab, sk);
+		kmem_cache_free(sk->sk_prot_creator->slab, sk);
 	else
 		kfree(sk);
 	module_put(owner);