ipv6: gro: fix PV6_GRO_CB(skb)->proto problem

It seems IPV6_GRO_CB(skb)->proto can be destroyed in skb_gro_receive()
if a new skb is allocated (to serve as an anchor for frag_list)

We copy NAPI_GRO_CB() only (not the IPV6 specific part) in :

*NAPI_GRO_CB(nskb) = *NAPI_GRO_CB(p);

So we leave IPV6_GRO_CB(nskb)->proto to 0 (fresh skb allocation) instead
of IPPROTO_TCP (6)

ipv6_gro_complete() isnt able to call ops->gro_complete()
[ tcp6_gro_complete() ]

Fix this by moving proto in NAPI_GRO_CB() and getting rid of
IPV6_GRO_CB

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 2 insertions, 9 deletions

diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index f757e3b7cfbf..a974247a9ae4 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -822,13 +822,6 @@ out:
         return segs;
 }
 
-struct ipv6_gro_cb {
-        struct napi_gro_cb napi;
-        int proto;
-};
-
-#define IPV6_GRO_CB(skb) ((struct ipv6_gro_cb *)(skb)->cb)
-
 static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
                                          struct sk_buff *skb)
 {
@@ -874,7 +867,7 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
                 iph = ipv6_hdr(skb);
         }
 
-        IPV6_GRO_CB(skb)->proto = proto;
+        NAPI_GRO_CB(skb)->proto = proto;
 
         flush--;
         nlen = skb_network_header_len(skb);
@@ -930,7 +923,7 @@ static int ipv6_gro_complete(struct sk_buff *skb)
                                  sizeof(*iph));
 
         rcu_read_lock();
-        ops = rcu_dereference(inet6_protos[IPV6_GRO_CB(skb)->proto]);
+        ops = rcu_dereference(inet6_protos[NAPI_GRO_CB(skb)->proto]);
         if (WARN_ON(!ops || !ops->gro_complete))
                 goto out_unlock;