linux

mirror of https://github.com/torvalds/linux.git synced 2025-11-02 17:49:03 +02:00

History

Jibin Zhang f920436a44 net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to be returned from the functions __inet_lookup_established() and __inet6_lookup_established(). This can cause a crash when the returned pointer is of type struct inet_timewait_sock and sock_put() is called on it. The following is a crash call stack that shows sk->sk_wmem_alloc being accessed in sk_free() during the call to sock_put() on a struct inet_timewait_sock pointer. To avoid this issue, use sock_gen_put() instead of sock_put() when sk->sk_state is TCP_TIME_WAIT. mrdump.ko ipanic() + 120 vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132 vmlinux atomic_notifier_call_chain(val=0) + 56 vmlinux panic() + 344 vmlinux add_taint() + 164 vmlinux end_report() + 136 vmlinux kasan_report(size=0) + 236 vmlinux report_tag_fault() + 16 vmlinux do_tag_recovery() + 16 vmlinux __do_kernel_fault() + 88 vmlinux do_bad_area() + 28 vmlinux do_tag_check_fault() + 60 vmlinux do_mem_abort() + 80 vmlinux el1_abort() + 56 vmlinux el1h_64_sync_handler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C) vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C) vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8 vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28 vmlinux sock_put() + 48 vmlinux tcp6_check_fraglist_gro() + 236 vmlinux tcp6_gro_receive() + 624 vmlinux ipv6_gro_receive() + 912 vmlinux dev_gro_receive() + 1116 vmlinux napi_gro_receive() + 196 ccmni.ko ccmni_rx_callback() + 208 ccmni.ko ccmni_queue_recv_skb() + 388 ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C() Fixes: `c9d1d23e52` ("net: add heuristic for enabling TCP fraglist GRO") Signed-off-by: Jibin Zhang <jibin.zhang@mediatek.com> Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Link: https://patch.msgid.link/20250429020412.14163-1-shiming.cheng@mediatek.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2025-05-01 07:00:19 -07:00
..
netfilter	netfilter: fib: avoid lookup if socket is available	2025-03-21 10:12:15 +01:00
af_inet.c	net: dismiss sk_forward_alloc_get()	2025-02-19 19:05:28 -08:00
ah4.c	net: fill in MODULE_DESCRIPTION()s for ipv4 modules	2024-02-09 14:12:02 -08:00
arp.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2025-02-20 10:37:30 -08:00
bpf_tcp_ca.c	tcp: Pass flags to __tcp_send_ack	2025-03-17 13:56:38 +00:00
cipso_ipv4.c	move asm/unaligned.h to linux/unaligned.h	2024-10-02 17:23:23 -04:00
datagram.c	ipv4: Use inet_sk_init_flowi4() in ip4_datagram_release_cb().	2024-12-20 13:50:09 -08:00
devinet.c	net: switch to netif_disable_lro in inetdev_init	2025-04-03 15:32:08 -07:00
esp4.c	ipsec-2025-01-27	2025-01-27 15:15:12 -08:00
esp4_offload.c	xfrm: Add an inbound percpu state cache.	2024-10-29 11:56:18 +01:00
fib_frontend.c	inet: fix lwtunnel_valid_encap_type() lock imbalance	2025-03-05 19:16:56 -08:00
fib_lookup.h
fib_notifier.c	net: do not acquire rtnl in fib_seq_sum()	2024-10-11 15:35:05 -07:00
fib_rules.c	ipv4: fib_rules: Add DSCP mask matching	2025-02-21 16:08:47 -08:00
fib_semantics.c	ipv4: fib: Namespacify fib_info hash tables.	2025-03-03 15:04:10 -08:00
fib_trie.c	ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config().	2025-03-03 15:04:11 -08:00
fou_bpf.c	ip_tunnel: convert __be16 tunnel flags to bitmaps	2024-04-01 10:49:28 +01:00
fou_core.c	fou: fix initialization of grc	2024-09-09 17:21:47 -07:00
fou_nl.c	tools: ynl-gen: use big-endian netlink attribute types	2024-10-22 15:33:24 +02:00
fou_nl.h
gre_demux.c	ip_tunnel: convert __be16 tunnel flags to bitmaps	2024-04-01 10:49:28 +01:00
gre_offload.c	net: gro: rename skb_gro_header_hard()	2024-03-05 13:30:11 +01:00
icmp.c	inet: ping: avoid skb_clone() dance in ping_rcv()	2025-02-28 14:41:33 -08:00
igmp.c	treewide: Switch/rename to timer_delete[_sync]()	2025-04-05 10:30:12 +02:00
igmp_internal.h	netlink: support dumping IPv4 multicast addresses	2025-02-11 11:26:53 +01:00
inet_connection_sock.c	tcp/dccp: Remove inet_connection_sock_af_ops.addr2sockaddr().	2025-03-24 12:10:13 -07:00
inet_diag.c	tcp/dccp: remove icsk->icsk_timeout	2025-03-25 10:34:33 -07:00
inet_fragment.c	treewide: Switch/rename to timer_delete[_sync]()	2025-04-05 10:30:12 +02:00
inet_hashtables.c	inet: call inet6_ehashfn() once from inet6_hash_connect()	2025-03-06 15:26:02 -08:00
inet_timewait_sock.c	tcp: add RCU management to inet_bind_bucket	2025-03-04 17:46:26 -08:00
inetpeer.c	inetpeer: use EXPORT_IPV6_MOD[_GPL]()	2025-02-14 13:09:39 -08:00
ip_forward.c
ip_fragment.c	inet: frags: save a pair of atomic operations in reassembly	2025-03-18 13:18:36 +01:00
ip_gre.c	net: ip_tunnel: Use link netns in newlink() of rtnl_link_ops	2025-02-21 15:28:02 -08:00
ip_input.c	ipv4: remove useless arg	2025-01-02 17:17:40 -08:00
ip_options.c	net: ip: make ip_route_input() return drop reasons	2024-11-12 11:24:51 +01:00
ip_output.c	tcp: add new TCP_TW_ACK_OOW state and allow ECN bits in TOS	2025-03-17 13:56:17 +00:00
ip_sockglue.c	Networking changes for 6.14.	2025-01-22 08:28:57 -08:00
ip_tunnel.c	net: move misc netdev_lock flavors to a separate header	2025-03-08 09:06:50 -08:00
ip_tunnel_core.c	net: fix geneve_opt length integer overflow	2025-04-03 15:47:35 -07:00
ip_vti.c	net: ip_tunnel: Use link netns in newlink() of rtnl_link_ops	2025-02-21 15:28:02 -08:00
ipcomp.c
ipconfig.c
ipip.c	net: ip_tunnel: Use link netns in newlink() of rtnl_link_ops	2025-02-21 15:28:02 -08:00
ipmr.c	treewide: Switch/rename to timer_delete[_sync]()	2025-04-05 10:30:12 +02:00
ipmr_base.c	ipmr: do not call mr_mfc_uses_dev() for unres entries	2025-01-23 07:08:13 -08:00
Kconfig	net/tcp: Expand goo.gl link	2024-07-30 18:35:12 -07:00
Makefile
metrics.c	net: remove NULL-pointer net parameter in ip_metrics_convert	2024-06-05 10:06:00 +01:00
netfilter.c	netfilter: ipv4: Convert ip_route_me_harder() to dscp_t.	2024-11-15 11:00:29 +01:00
netlink.c
nexthop.c	nexthop: Convert RTM_DELNEXTHOP to per-netns RTNL.	2025-03-25 07:32:00 -07:00
ping.c	inet: ping: avoid skb_clone() dance in ping_rcv()	2025-02-28 14:41:33 -08:00
proc.c	tcp: be less liberal in TSEcr received while in SYN_RECV state	2025-02-26 18:11:17 -08:00
protocol.c
raw.c	ipv4: remove get_rttos	2025-02-18 18:27:19 -08:00
raw_diag.c	inet_diag: add module pointer to "struct inet_diag_handler"	2024-01-23 15:13:54 +01:00
route.c	ipv4: use RCU protection in __ip_rt_update_pmtu()	2025-02-06 16:14:14 -08:00
syncookies.c	tcp: be less liberal in TSEcr received while in SYN_RECV state	2025-02-26 18:11:17 -08:00
sysctl_net_ipv4.c	tcp: add tcp_rto_max_ms sysctl	2025-02-11 13:08:00 +01:00
tcp.c	Revert "tcp: avoid atomic operations on sk->sk_rmem_alloc"	2025-03-31 16:53:54 -07:00
tcp_ao.c	net/tcp: Add missing lockdep annotations for TCP-AO hlist traversals	2024-11-03 12:10:11 -08:00
tcp_bbr.c	tcp: Add new args for cong_control in tcp_congestion_ops	2024-05-02 16:26:56 -07:00
tcp_bic.c
tcp_bpf.c	bpf: Fix wrong copied_seq calculation	2025-01-29 13:32:23 -08:00
tcp_cdg.c
tcp_cong.c	tcp: only release congestion control if it has been initialized	2024-10-31 18:22:48 -07:00
tcp_cubic.c	tcp_cubic: fix incorrect HyStart round start detection	2025-01-20 12:26:41 +00:00
tcp_dctcp.c	tcp: helpers for ECN mode handling	2025-03-17 13:54:11 +00:00
tcp_dctcp.h	tcp: Pass flags to __tcp_send_ack	2025-03-17 13:56:38 +00:00
tcp_diag.c	tcp: ulp: diag: more info without CAP_NET_ADMIN	2025-03-07 19:39:53 -08:00
tcp_fastopen.c	Revert "tcp: avoid atomic operations on sk->sk_rmem_alloc"	2025-03-31 16:53:54 -07:00
tcp_highspeed.c
tcp_htcp.c	tcp: Use clamp() in htcp_alpha_update()	2024-08-06 12:16:25 -07:00
tcp_hybla.c
tcp_illinois.c
tcp_input.c	Revert "tcp: avoid atomic operations on sk->sk_rmem_alloc"	2025-03-31 16:53:54 -07:00
tcp_ipv4.c	tcp/dccp: remove icsk->icsk_timeout	2025-03-25 10:34:33 -07:00
tcp_lp.c
tcp_metrics.c	tcp: convert to dev_net_rcu()	2025-03-03 15:44:19 -08:00
tcp_minisocks.c	tcp: add new TCP_TW_ACK_OOW state and allow ECN bits in TOS	2025-03-17 13:56:17 +00:00
tcp_nv.c
tcp_offload.c	net: use sock_gen_put() when sk_state is TCP_TIME_WAIT	2025-05-01 07:00:19 -07:00
tcp_output.c	tcp/dccp: remove icsk->icsk_ack.timeout	2025-03-25 10:34:33 -07:00
tcp_plb.c
tcp_rate.c
tcp_recovery.c
tcp_scalable.c
tcp_sigpool.c	net/tcp_sigpool: Use nested-BH locking for sigpool_scratch.	2024-06-24 16:41:22 -07:00
tcp_timer.c	Networking changes for 6.15.	2025-03-26 21:48:21 -07:00
tcp_ulp.c
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c	net: fill in MODULE_DESCRIPTION()s for ipv4 modules	2024-02-09 14:12:02 -08:00
udp.c	udp: Fix memory accounting leak.	2025-04-02 17:18:27 -07:00
udp_bpf.c
udp_diag.c	inet_diag: add module pointer to "struct inet_diag_handler"	2024-01-23 15:13:54 +01:00
udp_impl.h
udp_offload.c	net: ipv6: fix UDPv6 GSO segmentation with NAT	2025-04-29 14:46:28 -07:00
udp_tunnel_core.c	Revert "udp_tunnel: GRO optimizations"	2025-03-25 09:15:07 -07:00
udp_tunnel_nic.c
udp_tunnel_stub.c
udplite.c
xfrm4_input.c	ipv4: Convert ip_route_input_noref() to dscp_t.	2024-10-03 16:21:21 -07:00
xfrm4_output.c
xfrm4_policy.c	xfrm: Convert struct xfrm_dst_lookup_params -> tos to dscp_t.	2024-11-06 12:42:51 +01:00
xfrm4_protocol.c	ipv4: Convert ip_route_input_noref() to dscp_t.	2024-10-03 16:21:21 -07:00
xfrm4_state.c
xfrm4_tunnel.c	net: fill in MODULE_DESCRIPTION()s for ipv4 modules	2024-02-09 14:12:02 -08:00