diff options
| author | Sabrina Dubroca <sd@queasysnail.net> | 2018-06-30 17:38:55 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-07-22 14:28:44 +0200 |
| commit | b364a914c4993f46c0d849dab20d67ba0d82809d (patch) | |
| tree | 3c7fa6b77197b4149d9ab51c6fef78ea75ec197c /net/ipv4/fou.c | |
| parent | fb6b14663d56afabf86a3a2078c37a8d28fc718a (diff) | |
| download | linux-exynos-b364a914c4993f46c0d849dab20d67ba0d82809d.tar.gz linux-exynos-b364a914c4993f46c0d849dab20d67ba0d82809d.tar.bz2 linux-exynos-b364a914c4993f46c0d849dab20d67ba0d82809d.zip | |
net: fix use-after-free in GRO with ESP
[ Upstream commit 603d4cf8fe095b1ee78f423d514427be507fb513 ]
Since the addition of GRO for ESP, gro_receive can consume the skb and
return -EINPROGRESS. In that case, the lower layer GRO handler cannot
touch the skb anymore.
Commit 5f114163f2f5 ("net: Add a skb_gro_flush_final helper.") converted
some of the gro_receive handlers that can lead to ESP's gro_receive so
that they wouldn't access the skb when -EINPROGRESS is returned, but
missed other spots, mainly in tunneling protocols.
This patch finishes the conversion to using skb_gro_flush_final(), and
adds a new helper, skb_gro_flush_final_remcsum(), used in VXLAN and
GUE.
Fixes: 5f114163f2f5 ("net: Add a skb_gro_flush_final helper.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/ipv4/fou.c')
| -rw-r--r-- | net/ipv4/fou.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c index 1540db65241a..c9ec1603666b 100644 --- a/net/ipv4/fou.c +++ b/net/ipv4/fou.c @@ -448,9 +448,7 @@ next_proto: out_unlock: rcu_read_unlock(); out: - NAPI_GRO_CB(skb)->flush |= flush; - skb_gro_remcsum_cleanup(skb, &grc); - skb->remcsum_offload = 0; + skb_gro_flush_final_remcsum(skb, pp, flush, &grc); return pp; } |