diff options
| author | Eric Dumazet <edumazet@google.com> | 2012-12-06 08:54:59 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-12-07 14:39:29 -0500 |
| commit | c3c7c254b2e8cd99b0adf288c2a1bddacd7ba255 (patch) | |
| tree | cca25bcae0cc6172a616335041c1e54a33db451c | |
| parent | 93b174ad71b08e504c2cf6e8a58ecce778b77a40 (diff) | |
net: gro: fix possible panic in skb_gro_receive()
commit 2e71a6f8084e (net: gro: selective flush of packets) added
a bug for skbs using frag_list. This part of the GRO stack is rarely
used, as it needs skb not using a page fragment for their skb->head.
Most drivers do use a page fragment, but some of them use GFP_KERNEL
allocations for the initial fill of their RX ring buffer.
napi_gro_flush() overwrite skb->prev that was used for these skb to
point to the last skb in frag_list.
Fix this using a separate field in struct napi_gro_cb to point to the
last fragment.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/linux/netdevice.h | 3 | ||||
| -rw-r--r-- | net/core/dev.c | 2 | ||||
| -rw-r--r-- | net/core/skbuff.c | 6 |
3 files changed, 8 insertions, 3 deletions
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index f8eda0276f03..a848ffc327f4 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h | |||
| @@ -1488,6 +1488,9 @@ struct napi_gro_cb { | |||
| 1488 | 1488 | ||
| 1489 | /* Used in ipv6_gro_receive() */ | 1489 | /* Used in ipv6_gro_receive() */ |
| 1490 | int proto; | 1490 | int proto; |
| 1491 | |||
| 1492 | /* used in skb_gro_receive() slow path */ | ||
| 1493 | struct sk_buff *last; | ||
| 1491 | }; | 1494 | }; |
| 1492 | 1495 | ||
| 1493 | #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb) | 1496 | #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb) |
diff --git a/net/core/dev.c b/net/core/dev.c index c0946cb2b354..e5942bf45a6d 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
| @@ -3451,6 +3451,8 @@ static int napi_gro_complete(struct sk_buff *skb) | |||
| 3451 | struct list_head *head = &ptype_base[ntohs(type) & PTYPE_HASH_MASK]; | 3451 | struct list_head *head = &ptype_base[ntohs(type) & PTYPE_HASH_MASK]; |
| 3452 | int err = -ENOENT; | 3452 | int err = -ENOENT; |
| 3453 | 3453 | ||
| 3454 | BUILD_BUG_ON(sizeof(struct napi_gro_cb) > sizeof(skb->cb)); | ||
| 3455 | |||
| 3454 | if (NAPI_GRO_CB(skb)->count == 1) { | 3456 | if (NAPI_GRO_CB(skb)->count == 1) { |
| 3455 | skb_shinfo(skb)->gso_size = 0; | 3457 | skb_shinfo(skb)->gso_size = 0; |
| 3456 | goto out; | 3458 | goto out; |
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 4007c1437fda..3f0636cd76cd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -3004,7 +3004,7 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb) | |||
| 3004 | skb_shinfo(nskb)->gso_size = pinfo->gso_size; | 3004 | skb_shinfo(nskb)->gso_size = pinfo->gso_size; |
| 3005 | pinfo->gso_size = 0; | 3005 | pinfo->gso_size = 0; |
| 3006 | skb_header_release(p); | 3006 | skb_header_release(p); |
| 3007 | nskb->prev = p; | 3007 | NAPI_GRO_CB(nskb)->last = p; |
| 3008 | 3008 | ||
| 3009 | nskb->data_len += p->len; | 3009 | nskb->data_len += p->len; |
| 3010 | nskb->truesize += p->truesize; | 3010 | nskb->truesize += p->truesize; |
| @@ -3030,8 +3030,8 @@ merge: | |||
| 3030 | 3030 | ||
| 3031 | __skb_pull(skb, offset); | 3031 | __skb_pull(skb, offset); |
| 3032 | 3032 | ||
| 3033 | p->prev->next = skb; | 3033 | NAPI_GRO_CB(p)->last->next = skb; |
| 3034 | p->prev = skb; | 3034 | NAPI_GRO_CB(p)->last = skb; |
| 3035 | skb_header_release(skb); | 3035 | skb_header_release(skb); |
| 3036 | 3036 | ||
| 3037 | done: | 3037 | done: |