net: gro: make sure skb->cb[] initial content has not to be zero

[ Upstream commit 29e98242783ed3ba569797846a606ba66f781625 ] Starting from linux-3.13, GRO attempts to build full size skbs. Problem is the commit assumed one particular field in skb->cb[] was clean, but it is not the case on some stacked devices. Timo reported a crash in case traffic is decrypted before reaching a GRE device. Fix this by initializing NAPI_GRO_CB(skb)->last at the right place, this also removes one conditional. Thanks a lot to Timo for providing full reports and bisecting this. Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb") Bisected-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: gro: make sure skb->cb[] initial content has not to be zero
[ Upstream commit 29e98242783ed3ba569797846a606ba66f781625 ] Starting from linux-3.13, GRO attempts to build full size skbs. Problem is the commit assumed one particular field in skb->cb[] was clean, but it is not the case on some stacked devices. Timo reported a crash in case traffic is decrypted before reaching a GRE device. Fix this by initializing NAPI_GRO_CB(skb)->last at the right place, this also removes one conditional. Thanks a lot to Timo for providing full reports and bisecting this. Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb") Bisected-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet · Greg Kroah-Hartman
1 parent 2132c5ea87
Showing 2 changed files with 3 additions and 2 deletions Side-by-side Diff
net/core/dev.c
net/core/skbuff.c
@@ -3944,6 +3944,7 @@
 	}
 	NAPI_GRO_CB(skb)->count = 1;
 	NAPI_GRO_CB(skb)->age = jiffies;
+	NAPI_GRO_CB(skb)->last = skb;
 	skb_shinfo(skb)->gso_size = skb_gro_len(skb);
 	skb->next = napi->gro_list;
 	napi->gro_list = skb;
@@ -3076,7 +3076,7 @@
 	if (unlikely(p->len + len >= 65536))
 		return -E2BIG;
  
-	lp = NAPI_GRO_CB(p)->last ?: p;
+	lp = NAPI_GRO_CB(p)->last;
 	pinfo = skb_shinfo(lp);
  
 	if (headlen <= offset) {
@@ -3192,7 +3192,7 @@
  
 	__skb_pull(skb, offset);
  
-	if (!NAPI_GRO_CB(p)->last)
+	if (NAPI_GRO_CB(p)->last == p)
 		skb_shinfo(p)->frag_list = skb;
 	else
 		NAPI_GRO_CB(p)->last->next = skb;
...	...	@@ -3944,6 +3944,7 @@
3944	3944	}
3945	3945	NAPI_GRO_CB(skb)->count = 1;
3946	3946	NAPI_GRO_CB(skb)->age = jiffies;
	3947	+ NAPI_GRO_CB(skb)->last = skb;
3947	3948	skb_shinfo(skb)->gso_size = skb_gro_len(skb);
3948	3949	skb->next = napi->gro_list;
3949	3950	napi->gro_list = skb;
...	...	@@ -3076,7 +3076,7 @@
3076	3076	if (unlikely(p->len + len >= 65536))
3077	3077	return -E2BIG;
3078	3078
3079		- lp = NAPI_GRO_CB(p)->last ?: p;
	3079	+ lp = NAPI_GRO_CB(p)->last;
3080	3080	pinfo = skb_shinfo(lp);
3081	3081
3082	3082	if (headlen <= offset) {
...	...	@@ -3192,7 +3192,7 @@
3192	3192
3193	3193	__skb_pull(skb, offset);
3194	3194
3195		- if (!NAPI_GRO_CB(p)->last)
	3195	+ if (NAPI_GRO_CB(p)->last == p)
3196	3196	skb_shinfo(p)->frag_list = skb;
3197	3197	else
3198	3198	NAPI_GRO_CB(p)->last->next = skb;