diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2011-10-14 04:57:46 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-10-20 16:20:30 -0400 |
commit | 113ab386c7d6625cff284fb10952ff69a58c18a4 (patch) | |
tree | 1334a0c133d6348f72619fdc502088644fba1c3b /net | |
parent | fd11e153b82ad1c84ccc71ba1cfedc222465198c (diff) | |
download | linux-3.10-113ab386c7d6625cff284fb10952ff69a58c18a4.tar.gz linux-3.10-113ab386c7d6625cff284fb10952ff69a58c18a4.tar.bz2 linux-3.10-113ab386c7d6625cff284fb10952ff69a58c18a4.zip |
ip_gre: dont increase dev->needed_headroom on a live device
It seems ip_gre is able to change dev->needed_headroom on the fly.
Its is not legal unfortunately and triggers a BUG in raw_sendmsg()
skb = sock_alloc_send_skb(sk, ... + LL_ALLOCATED_SPACE(rt->dst.dev)
< another cpu change dev->needed_headromm (making it bigger)
...
skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev));
We end with LL_RESERVED_SPACE() being bigger than LL_ALLOCATED_SPACE()
-> we crash later because skb head is exhausted.
Bug introduced in commit 243aad83 in 2.6.34 (ip_gre: include route
header_len in max_headroom calculation)
Reported-by: Elmar Vonlanthen <evonlanthen@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Timo Teräs <timo.teras@iki.fi>
CC: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/ip_gre.c | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index d7bb94c4834..d55110e9312 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -835,8 +835,6 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev if (skb_headroom(skb) < max_headroom || skb_shared(skb)|| (skb_cloned(skb) && !skb_clone_writable(skb, 0))) { struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom); - if (max_headroom > dev->needed_headroom) - dev->needed_headroom = max_headroom; if (!new_skb) { ip_rt_put(rt); dev->stats.tx_dropped++; |