| From e5093aec2e6b60c3df2420057ffab9ed4a6d2792 Mon Sep 17 00:00:00 2001 |
| From: Jarek Poplawski <jarkao2@gmail.com> |
| Date: Wed, 11 Aug 2010 02:02:10 +0000 |
| Subject: net: Fix a memmove bug in dev_gro_receive() |
| |
| From: Jarek Poplawski <jarkao2@gmail.com> |
| |
| commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 upstream. |
| |
| >Xin Xiaohui wrote: |
| > I looked into the code dev_gro_receive(), found the code here: |
| > if the frags[0] is pulled to 0, then the page will be released, |
| > and memmove() frags left. |
| > Is that right? I'm not sure if memmove do right or not, but |
| > frags[0].size is never set after memove at least. what I think |
| > a simple way is not to do anything if we found frags[0].size == 0. |
| > The patch is as followed. |
| ... |
| |
| This version of the patch fixes the bug directly in memmove. |
| |
| Reported-by: "Xin, Xiaohui" <xiaohui.xin@intel.com> |
| Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Cc: Ben Hutchings <bhutchings@solarflare.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/core/dev.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/core/dev.c |
| +++ b/net/core/dev.c |
| @@ -2664,7 +2664,7 @@ pull: |
| put_page(skb_shinfo(skb)->frags[0].page); |
| memmove(skb_shinfo(skb)->frags, |
| skb_shinfo(skb)->frags + 1, |
| - --skb_shinfo(skb)->nr_frags); |
| + --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t)); |
| } |
| } |
| |