xt_qtaguid: Fix panic caused by processing non-full socket.

In an issue very similar to 4e461c777e3 (xt_qtaguid: Fix panic caused by synack processing), we were seeing panics on occasion in testing. In this case, it was the same issue, but caused by a different call path, as the sk being returned from qtaguid_find_sk() was not a full socket. Resulting in the sk->sk_socket deref to fail. This patch adds an extra check to ensure the sk being retuned is a full socket, and if not it returns NULL. Reported-by: Milosz Wasilewski <milosz.wasilewski@linaro.org> Signed-off-by: John Stultz <john.stultz@linaro.org>
author: John Stultz <john.stultz@linaro.org> 2016-05-12 11:17:52 -0700
committer: Amit Pundir <amit.pundir@linaro.org> 2016-05-19 12:35:13 +0530
commit: 4158b3431f473aad101da1100a9b241ff8b3cc74 (patch)
tree: 1950e0732f819823a032b895a9f124d3c4c29e99 /net
parent: f73ca028a0a4cc307597efc6ef2c910dc2d20639 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/xt_qtaguid.c b/net/netfilter/xt_qtaguid.c
index 822dc3c3bce1..e2e7d54f9bb1 100644
--- a/net/netfilter/xt_qtaguid.c
+++ b/net/netfilter/xt_qtaguid.c
@@ -1606,7 +1606,7 @@ static struct sock *qtaguid_find_sk(const struct sk_buff *skb,
 		 * When in TCP_TIME_WAIT the sk is not a "struct sock" but
 		 * "struct inet_timewait_sock" which is missing fields.
 		 */
-		if (sk->sk_state  == TCP_TIME_WAIT) {
+		if (!sk_fullsock(sk) || sk->sk_state  == TCP_TIME_WAIT) {
 			sock_gen_put(sk);
 			sk = NULL;
 		}
author	John Stultz <john.stultz@linaro.org>	2016-05-12 11:17:52 -0700
committer	Amit Pundir <amit.pundir@linaro.org>	2016-05-19 12:35:13 +0530
commit	4158b3431f473aad101da1100a9b241ff8b3cc74 (patch)
tree	1950e0732f819823a032b895a9f124d3c4c29e99 /net
parent	f73ca028a0a4cc307597efc6ef2c910dc2d20639 (diff)