To: <ja@xxxxxx>, <horms@xxxxxxxxxxxx>, <lvs-devel@xxxxxxxxxxxxxxx>
Subject: [PATCH net-next] ipvs: orphan_skb in tunnel transmit case
Cc: <kernel-team@xxxxxx>, Alex Gartrell <agartrell@xxxxxx>
From: Alex Gartrell <agartrell@xxxxxx>
Date: Wed, 1 Jul 2015 13:50:22 -0700
It's possible that the sk came from early_demux.  This will blow up every
time in the TCP_TIME_WAIT case in ip_local_out.  No similar crashes exist
for masquerade or gateway because they do not use ip_local_out{,6}.

Signed-off-by: Alex Gartrell <agartrell@xxxxxx>
 net/netfilter/ipvs/ip_vs_xmit.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index bf66a86..1db0ca7 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -521,6 +521,13 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff 
        if (unlikely(cp->flags & IP_VS_CONN_F_NFCT))
                ret = ip_vs_confirm_conntrack(skb);
        if (ret == NF_ACCEPT) {
+               /* In this case, skb is associated with an old, receiving
+                * socket, which may be in TIME-WAIT and invalid for the
+                * forward path, so we orphan it.
+                */
+               if (skb->dev)
+                       skb_orphan(skb);
Alex Gartrell <agartrell@xxxxxx>

