Commit d83924d7681e7048d639debb614bdd1d9183d201
Committed by
Greg Kroah-Hartman
1 parent
2132c5ea87
Exists in
ti-linux-3.14.y
and in
2 other branches
net: gro: make sure skb->cb[] initial content has not to be zero
[ Upstream commit 29e98242783ed3ba569797846a606ba66f781625 ] Starting from linux-3.13, GRO attempts to build full size skbs. Problem is the commit assumed one particular field in skb->cb[] was clean, but it is not the case on some stacked devices. Timo reported a crash in case traffic is decrypted before reaching a GRE device. Fix this by initializing NAPI_GRO_CB(skb)->last at the right place, this also removes one conditional. Thanks a lot to Timo for providing full reports and bisecting this. Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb") Bisected-by: Timo Teras <timo.teras@iki.fi> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 2 changed files with 3 additions and 2 deletions Side-by-side Diff
net/core/dev.c
net/core/skbuff.c
... | ... | @@ -3076,7 +3076,7 @@ |
3076 | 3076 | if (unlikely(p->len + len >= 65536)) |
3077 | 3077 | return -E2BIG; |
3078 | 3078 | |
3079 | - lp = NAPI_GRO_CB(p)->last ?: p; | |
3079 | + lp = NAPI_GRO_CB(p)->last; | |
3080 | 3080 | pinfo = skb_shinfo(lp); |
3081 | 3081 | |
3082 | 3082 | if (headlen <= offset) { |
... | ... | @@ -3192,7 +3192,7 @@ |
3192 | 3192 | |
3193 | 3193 | __skb_pull(skb, offset); |
3194 | 3194 | |
3195 | - if (!NAPI_GRO_CB(p)->last) | |
3195 | + if (NAPI_GRO_CB(p)->last == p) | |
3196 | 3196 | skb_shinfo(p)->frag_list = skb; |
3197 | 3197 | else |
3198 | 3198 | NAPI_GRO_CB(p)->last->next = skb; |