aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo2005-05-05 13:35:15 -0700
committerDavid S. Miller2005-05-05 13:35:15 -0700
commit476e19cfa131e2b6eedc4017b627cdc4ca419ffb (patch)
tree8c6881affa0d20a3ce2dd8d4f9a5b0ba588916c5
parent25ae3f59b10dbd5e2b9b192ecc90ea935cc23e68 (diff)
[IPV6]: Fix OOPS when using IPV6_ADDRFORM
This causes sk->sk_prot to change, which makes the socket release free the sock into the wrong SLAB cache. Fix this by introducing sk_prot_creator so that we always remember where the sock came from. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/sock.h2
-rw-r--r--net/core/sock.c12
2 files changed, 10 insertions, 4 deletions
diff --git a/include/net/sock.h b/include/net/sock.h
index cc4c9190b7fd..77f02f86346e 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -141,6 +141,7 @@ struct sock_common {
* @sk_callback_lock: used with the callbacks in the end of this struct
* @sk_error_queue: rarely used
* @sk_prot: protocol handlers inside a network family
+ * @sk_prot_creator: sk_prot of original sock creator (see ipv6_setsockopt, IPV6_ADDRFORM for instance)
* @sk_err: last error
* @sk_err_soft: errors that don't cause failure but are the cause of a persistent failure not just 'timed out'
* @sk_ack_backlog: current listen backlog
@@ -218,6 +219,7 @@ struct sock {
} sk_backlog;
struct sk_buff_head sk_error_queue;
struct proto *sk_prot;
+ struct proto *sk_prot_creator;
rwlock_t sk_callback_lock;
int sk_err,
sk_err_soft;
diff --git a/net/core/sock.c b/net/core/sock.c
index 98171ddd7e7d..92c0676e4708 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -635,7 +635,11 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
if (zero_it) {
memset(sk, 0, prot->obj_size);
sk->sk_family = family;
- sk->sk_prot = prot;
+ /*
+ * See comment in struct sock definition to understand
+ * why we need sk_prot_creator -acme
+ */
+ sk->sk_prot = sk->sk_prot_creator = prot;
sock_lock_init(sk);
}
@@ -654,7 +658,7 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
void sk_free(struct sock *sk)
{
struct sk_filter *filter;
- struct module *owner = sk->sk_prot->owner;
+ struct module *owner = sk->sk_prot_creator->owner;
if (sk->sk_destruct)
sk->sk_destruct(sk);
@@ -672,8 +676,8 @@ void sk_free(struct sock *sk)
__FUNCTION__, atomic_read(&sk->sk_omem_alloc));
security_sk_free(sk);
- if (sk->sk_prot->slab != NULL)
- kmem_cache_free(sk->sk_prot->slab, sk);
+ if (sk->sk_prot_creator->slab != NULL)
+ kmem_cache_free(sk->sk_prot_creator->slab, sk);
else
kfree(sk);
module_put(owner);