net: tcp: reset 'drop_reason' to NOT_SPCIFIED in tcp_v{4,6}_rcv()

The 'drop_reason' that passed to kfree_skb_reason() in tcp_v4_rcv()
and tcp_v6_rcv() can be SKB_NOT_DROPPED_YET(0), as it is used as the
return value of tcp_inbound_md5_hash().

And it can panic the kernel with NULL pointer in
net_dm_packet_report_size() if the reason is 0, as drop_reasons[0]
is NULL.

Fixes: 1330b6ef3313 ("skb: make drop reason booleanable")
Reviewed-by: Jiang Biao <benbjiang@tencent.com>
Reviewed-by: Hao Peng <flyingpeng@tencent.com>
Signed-off-by: Menglong Dong <imagedong@tencent.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 218ad871c0e4965a8d5b91c45faa3c2f624ed257..f09bdfc6a32132fb95a2f0d7d9fbd596a9415941 100644 (file)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2101,6 +2101,7 @@ bad_packet:
        }
 
 discard_it:
+       SKB_DR_OR(drop_reason, NOT_SPECIFIED);
        /* Discard frame. */
        kfree_skb_reason(skb, drop_reason);
        return 0;

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 60bdec257ba7220d6c05b48208a587c7be2b4087..636ed23d9af04c2825379232950376da145419e2 100644 (file)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1509,6 +1509,7 @@ reset:
 discard:
        if (opt_skb)
                __kfree_skb(opt_skb);
+       SKB_DR_OR(reason, NOT_SPECIFIED);
        kfree_skb_reason(skb, reason);
        return 0;
 csum_err: