[IPV6]: Fix OOPS when using IPV6_ADDRFORM

This causes sk->sk_prot to change, which makes the socket
release free the sock into the wrong SLAB cache.  Fix this
by introducing sk_prot_creator so that we always remember
where the sock came from.

Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/sock.h b/include/net/sock.h
index cc4c919..77f02f8 100644 (file)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -141,6 +141,7 @@ struct sock_common {
   *    @sk_callback_lock: used with the callbacks in the end of this struct
   *    @sk_error_queue: rarely used
   *    @sk_prot: protocol handlers inside a network family
+  *    @sk_prot_creator: sk_prot of original sock creator (see ipv6_setsockopt, IPV6_ADDRFORM for instance)
   *    @sk_err: last error
   *    @sk_err_soft: errors that don't cause failure but are the cause of a persistent failure not just 'timed out'
   *    @sk_ack_backlog: current listen backlog
@@ -218,6 +219,7 @@ struct sock {
        } sk_backlog;
        struct sk_buff_head     sk_error_queue;
        struct proto            *sk_prot;
+       struct proto            *sk_prot_creator;
        rwlock_t                sk_callback_lock;
        int                     sk_err,
                                sk_err_soft;

diff --git a/net/core/sock.c b/net/core/sock.c
index 98171dd..92c0676 100644 (file)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -635,7 +635,11 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
                if (zero_it) {
                        memset(sk, 0, prot->obj_size);
                        sk->sk_family = family;
-                       sk->sk_prot = prot;
+                       /*
+                        * See comment in struct sock definition to understand
+                        * why we need sk_prot_creator -acme
+                        */
+                       sk->sk_prot = sk->sk_prot_creator = prot;
                        sock_lock_init(sk);
                }
                
@@ -654,7 +658,7 @@ struct sock *sk_alloc(int family, int priority, struct proto *prot, int zero_it)
 void sk_free(struct sock *sk)
 {
        struct sk_filter *filter;
-       struct module *owner = sk->sk_prot->owner;
+       struct module *owner = sk->sk_prot_creator->owner;
 
        if (sk->sk_destruct)
                sk->sk_destruct(sk);
@@ -672,8 +676,8 @@ void sk_free(struct sock *sk)
                       __FUNCTION__, atomic_read(&sk->sk_omem_alloc));
 
        security_sk_free(sk);
-       if (sk->sk_prot->slab != NULL)
-               kmem_cache_free(sk->sk_prot->slab, sk);
+       if (sk->sk_prot_creator->slab != NULL)
+               kmem_cache_free(sk->sk_prot_creator->slab, sk);
        else
                kfree(sk);
        module_put(owner);