From: Menglong Dong Date: Fri, 13 May 2022 03:03:39 +0000 (+0800) Subject: net: tcp: reset 'drop_reason' to NOT_SPCIFIED in tcp_v{4,6}_rcv() X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=f8319dfd1b3b3be6c08795017fc30f880f8bc861;p=linux.git net: tcp: reset 'drop_reason' to NOT_SPCIFIED in tcp_v{4,6}_rcv() The 'drop_reason' that passed to kfree_skb_reason() in tcp_v4_rcv() and tcp_v6_rcv() can be SKB_NOT_DROPPED_YET(0), as it is used as the return value of tcp_inbound_md5_hash(). And it can panic the kernel with NULL pointer in net_dm_packet_report_size() if the reason is 0, as drop_reasons[0] is NULL. Fixes: 1330b6ef3313 ("skb: make drop reason booleanable") Reviewed-by: Jiang Biao Reviewed-by: Hao Peng Signed-off-by: Menglong Dong Signed-off-by: David S. Miller --- diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 218ad871c0e49..f09bdfc6a3213 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2101,6 +2101,7 @@ bad_packet: } discard_it: + SKB_DR_OR(drop_reason, NOT_SPECIFIED); /* Discard frame. */ kfree_skb_reason(skb, drop_reason); return 0; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 60bdec257ba72..636ed23d9af04 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1509,6 +1509,7 @@ reset: discard: if (opt_skb) __kfree_skb(opt_skb); + SKB_DR_OR(reason, NOT_SPECIFIED); kfree_skb_reason(skb, reason); return 0; csum_err: