[VLAN/BRIDGE]: Fix "skb_pull_rcsum - Fatal exception in interrupt"

I tried to preserve bridging code as it was before, but logic is quite
strange - I think we should free skb on error, since it is already
unshared and thus will just leak.

Herbert Xu states:

> +	if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
> +		goto out;

If this happens it'll be a double-free on skb since we'll
return NF_DROP which makes the caller free it too.

We could return NF_STOLEN to prevent that but I'm not sure
whether that's correct netfilter semantics.  Patrick, could
you please make a call on this?

Patrick McHardy states:

NF_STOLEN should work fine here.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 11 insertions, 1 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 4bab322c9f8f..328759c32d61 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
                   struct packet_type* ptype, struct net_device *orig_dev)
 {
         unsigned char *rawp = NULL;
-        struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data);
+        struct vlan_hdr *vhdr;
         unsigned short vid;
         struct net_device_stats *stats;
         unsigned short vlan_TCI;
         __be16 proto;
 
+        if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
+                return -1;
+
+        if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) {
+                kfree_skb(skb);
+                return -1;
+        }
+
+        vhdr = (struct vlan_hdr *)(skb->data);
+
         /* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
         vlan_TCI = ntohs(vhdr->h_vlan_TCI);