Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit f557206800801410c30e53ce7a27219b2c4cf0ba

Authored by Herbert Xu
Committed by David S. Miller
1 parent fc8c7dc1b2
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

gro: Fix page ref count for skbs freed normally 

When an skb with page frags is merged into an existing one, we
cannibalise its reference count.  This is OK when the skb is
reused because we set nr_frags to zero in that case.  However,
for the case where the skb is freed through kfree_skb, we didn't
clear nr_frags which causes the page to be freed prematurely.

This is fixed by moving the skb resetting into skb_gro_receive.

Reported-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 2 changed files with 6 additions and 6 deletions Side-by-side Diff

... ... @@ -2491,12 +2491,6 @@
2491 2491  
2492 2492 void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
2493 2493 {
2494   - skb_shinfo(skb)->nr_frags = 0;
2495   -
2496   - skb->len -= skb->data_len;
2497   - skb->truesize -= skb->data_len;
2498   - skb->data_len = 0;
2499   -
2500 2494 __skb_pull(skb, skb_headlen(skb));
2501 2495 skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
2502 2496  
... ... @@ -2602,6 +2602,12 @@
2602 2602 skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t));
2603 2603  
2604 2604 skb_shinfo(p)->nr_frags += skb_shinfo(skb)->nr_frags;
  2605 + skb_shinfo(skb)->nr_frags = 0;
  2606 +
  2607 + skb->truesize -= skb->data_len;
  2608 + skb->len -= skb->data_len;
  2609 + skb->data_len = 0;
  2610 +
2605 2611 NAPI_GRO_CB(skb)->free = 1;
2606 2612 goto done;
2607 2613 }