ieee802154: properly unshare skbs in ieee802154 *_rcv functions ieee802154 sockets do not properly unshare received skbs, which leads to panics (at least) when they are used in conjunction with 6lowpan, so run skb_share_check on received skbs. 6lowpan also contains a use-after-free, which is trivially fixed by replacing the inlined skb_share_check with the explicit call. Signed-off-by: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> Tested-by: Alexander Aring <alex.aring@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 8cfad496c4257441710735ccef622f3829870164 [log] [tgz]
author: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> Mon Mar 17 18:30:19 2014 +0100
committer: David S. Miller <davem@davemloft.net> Tue Mar 18 15:59:25 2014 -0400
tree: e5574aa1fac1cac858f94fffb571516bc35809dc
parent: 3c5dfeff932224d3c97cee9fd0d1e2876d700ad3 [diff] [blame]
diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
index 4c47154..6d251a3 100644
--- a/net/ieee802154/dgram.c
+++ b/net/ieee802154/dgram.c

@@ -329,6 +329,10 @@
 
 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (!skb)
+		return NET_RX_DROP;
+
 	if (sock_queue_rcv_skb(sk, skb) < 0) {
 		kfree_skb(skb);
 		return NET_RX_DROP;
commit	8cfad496c4257441710735ccef622f3829870164	[log] [tgz]
author	Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>	Mon Mar 17 18:30:19 2014 +0100
committer	David S. Miller <davem@davemloft.net>	Tue Mar 18 15:59:25 2014 -0400
tree	e5574aa1fac1cac858f94fffb571516bc35809dc
parent	3c5dfeff932224d3c97cee9fd0d1e2876d700ad3 [diff] [blame]