releases/3.14.5/net-gro-make-sure-skb-cb-initial-content-has-not.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Wed May 28 21:03:54 PDT 2014
 From: Eric Dumazet <edumazet@google.com>
 Date: Fri, 16 May 2014 11:34:37 -0700
 Subject: net: gro: make sure skb->cb[] initial content has not
  to be zero
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 From: Eric Dumazet <edumazet@google.com>

 [ Upstream commit 29e98242783ed3ba569797846a606ba66f781625 ]

 Starting from linux-3.13, GRO attempts to build full size skbs.

 Problem is the commit assumed one particular field in skb->cb[]
 was clean, but it is not the case on some stacked devices.

 Timo reported a crash in case traffic is decrypted before
 reaching a GRE device.

 Fix this by initializing NAPI_GRO_CB(skb)->last at the right place,
 this also removes one conditional.

 Thanks a lot to Timo for providing full reports and bisecting this.

 Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb")
 Bisected-by: Timo Teras <timo.teras@iki.fi>
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Tested-by: Timo Teräs <timo.teras@iki.fi>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/core/dev.c    |    1 +
  net/core/skbuff.c |    4 ++--
  2 files changed, 3 insertions(+), 2 deletions(-)

 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -3944,6 +3944,7 @@ static enum gro_result dev_gro_receive(s
  	}
  	NAPI_GRO_CB(skb)->count = 1;
  	NAPI_GRO_CB(skb)->age = jiffies;
 +	NAPI_GRO_CB(skb)->last = skb;
  	skb_shinfo(skb)->gso_size = skb_gro_len(skb);
  	skb->next = napi->gro_list;
  	napi->gro_list = skb;
 --- a/net/core/skbuff.c
 +++ b/net/core/skbuff.c
 @@ -3076,7 +3076,7 @@ int skb_gro_receive(struct sk_buff **hea
  	if (unlikely(p->len + len >= 65536))
  		return -E2BIG;

 -	lp = NAPI_GRO_CB(p)->last ?: p;
 +	lp = NAPI_GRO_CB(p)->last;
  	pinfo = skb_shinfo(lp);

  	if (headlen <= offset) {
 @@ -3192,7 +3192,7 @@ merge:

  	__skb_pull(skb, offset);

 -	if (!NAPI_GRO_CB(p)->last)
 +	if (NAPI_GRO_CB(p)->last == p)
  		skb_shinfo(p)->frag_list = skb;
  	else
  		NAPI_GRO_CB(p)->last->next = skb;
	From foo@baz Wed May 28 21:03:54 PDT 2014
	From: Eric Dumazet <edumazet@google.com>
	Date: Fri, 16 May 2014 11:34:37 -0700
	Subject: net: gro: make sure skb->cb[] initial content has not
	to be zero
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	From: Eric Dumazet <edumazet@google.com>

	[ Upstream commit 29e98242783ed3ba569797846a606ba66f781625 ]

	Starting from linux-3.13, GRO attempts to build full size skbs.

	Problem is the commit assumed one particular field in skb->cb[]
	was clean, but it is not the case on some stacked devices.

	Timo reported a crash in case traffic is decrypted before
	reaching a GRE device.

	Fix this by initializing NAPI_GRO_CB(skb)->last at the right place,
	this also removes one conditional.

	Thanks a lot to Timo for providing full reports and bisecting this.

	Fixes: 8a29111c7ca6 ("net: gro: allow to build full sized skb")
	Bisected-by: Timo Teras <timo.teras@iki.fi>
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Tested-by: Timo Teräs <timo.teras@iki.fi>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/core/dev.c \| 1 +
	net/core/skbuff.c \| 4 ++--
	2 files changed, 3 insertions(+), 2 deletions(-)

	--- a/net/core/dev.c
	+++ b/net/core/dev.c
	@@ -3944,6 +3944,7 @@ static enum gro_result dev_gro_receive(s
	}
	NAPI_GRO_CB(skb)->count = 1;
	NAPI_GRO_CB(skb)->age = jiffies;
	+ NAPI_GRO_CB(skb)->last = skb;
	skb_shinfo(skb)->gso_size = skb_gro_len(skb);
	skb->next = napi->gro_list;
	napi->gro_list = skb;
	--- a/net/core/skbuff.c
	+++ b/net/core/skbuff.c
	@@ -3076,7 +3076,7 @@ int skb_gro_receive(struct sk_buff **hea
	if (unlikely(p->len + len >= 65536))
	return -E2BIG;

	- lp = NAPI_GRO_CB(p)->last ?: p;
	+ lp = NAPI_GRO_CB(p)->last;
	pinfo = skb_shinfo(lp);

	if (headlen <= offset) {
	@@ -3192,7 +3192,7 @@ merge:

	__skb_pull(skb, offset);

	- if (!NAPI_GRO_CB(p)->last)
	+ if (NAPI_GRO_CB(p)->last == p)
	skb_shinfo(p)->frag_list = skb;
	else
	NAPI_GRO_CB(p)->last->next = skb;