| From foo@baz Tue Jun 12 11:38:32 CEST 2018 |
| From: Willem de Bruijn <willemb@google.com> |
| Date: Thu, 24 May 2018 18:10:30 -0400 |
| Subject: packet: fix reserve calculation |
| |
| From: Willem de Bruijn <willemb@google.com> |
| |
| [ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ] |
| |
| Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link |
| layer allocation") ensures that packet_snd always starts writing |
| the link layer header in reserved headroom allocated for this |
| purpose. |
| |
| This is needed because packets may be shorter than hard_header_len, |
| in which case the space up to hard_header_len may be zeroed. But |
| that necessary padding is not accounted for in skb->len. |
| |
| The fix, however, is buggy. It calls skb_push, which grows skb->len |
| when moving skb->data back. But in this case packet length should not |
| change. |
| |
| Instead, call skb_reserve, which moves both skb->data and skb->tail |
| back, without changing length. |
| |
| Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") |
| Reported-by: Tariq Toukan <tariqt@mellanox.com> |
| Signed-off-by: Willem de Bruijn <willemb@google.com> |
| Acked-by: Soheil Hassas Yeganeh <soheil@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/packet/af_packet.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/packet/af_packet.c |
| +++ b/net/packet/af_packet.c |
| @@ -2918,7 +2918,7 @@ static int packet_snd(struct socket *soc |
| if (unlikely(offset < 0)) |
| goto out_free; |
| } else if (reserve) { |
| - skb_push(skb, reserve); |
| + skb_reserve(skb, -reserve); |
| } |
| |
| /* Returns -EFAULT on error */ |