summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2014-05-16 11:34:37 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2014-05-31 13:20:38 -0700
commitd83924d7681e7048d639debb614bdd1d9183d201 (patch)
tree9c7160a7e6d791bdf5bc923f2cd5d0578293c1fa
parent2132c5ea87fe6061762813b4f84b3846347de09c (diff)
downloadlwn-d83924d7681e7048d639debb614bdd1d9183d201.tar.gz
lwn-d83924d7681e7048d639debb614bdd1d9183d201.zip
net: gro: make sure skb->cb[] initial content has not to be zero
[ Upstream commit 29e98242783ed3ba569797846a606ba66f781625 ] Starting from linux-3.13, GRO attempts to build full size skbs. Problem is the commit assumed one particular field in skb->cb[] was clean, but it is not the case on some stacked devices. Timo reported a crash in case traffic is decrypted before reaching a GRE device. Fix this by initializing NAPI_GRO_CB(skb)->last at the right place, this also removes one conditional. Thanks a lot to Timo for providing full reports and bisecting this. Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb") Bisected-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/core/dev.c1
-rw-r--r--net/core/skbuff.c4
2 files changed, 3 insertions, 2 deletions
diff --git a/net/core/dev.c b/net/core/dev.c
index 6de84014f3e0..62d29d94dbbf 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3944,6 +3944,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff
}
NAPI_GRO_CB(skb)->count = 1;
NAPI_GRO_CB(skb)->age = jiffies;
+ NAPI_GRO_CB(skb)->last = skb;
skb_shinfo(skb)->gso_size = skb_gro_len(skb);
skb->next = napi->gro_list;
napi->gro_list = skb;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 31d7cd79ff84..e5ae776ee9b4 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3076,7 +3076,7 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
if (unlikely(p->len + len >= 65536))
return -E2BIG;
- lp = NAPI_GRO_CB(p)->last ?: p;
+ lp = NAPI_GRO_CB(p)->last;
pinfo = skb_shinfo(lp);
if (headlen <= offset) {
@@ -3192,7 +3192,7 @@ merge:
__skb_pull(skb, offset);
- if (!NAPI_GRO_CB(p)->last)
+ if (NAPI_GRO_CB(p)->last == p)
skb_shinfo(p)->frag_list = skb;
else
NAPI_GRO_CB(p)->last->next = skb;