git.baikalelectronics.ru Git - kernel.git/commit

author	Sabrina Dubroca <sd@queasysnail.net>
	Sat, 30 Jun 2018 15:38:55 +0000 (17:38 +0200)
committer	David S. Miller <davem@davemloft.net>
	Mon, 2 Jul 2018 11:34:04 +0000 (20:34 +0900)
commit	d5777417c6fef2cc8ed7f774b1fc6f015e98af56
tree	a4051b67f31ba061752f8c5326fa9c6aab528e7f	tree \| snapshot
parent	0d74884af4dab16d0e590d6fe3cbea7d1fe779f5	commit \| diff

net: fix use-after-free in GRO with ESP

Since the addition of GRO for ESP, gro_receive can consume the skb and
return -EINPROGRESS. In that case, the lower layer GRO handler cannot
touch the skb anymore.

Commit 37c8947cca61 ("net: Add a skb_gro_flush_final helper.") converted
some of the gro_receive handlers that can lead to ESP's gro_receive so
that they wouldn't access the skb when -EINPROGRESS is returned, but
missed other spots, mainly in tunneling protocols.

This patch finishes the conversion to using skb_gro_flush_final(), and
adds a new helper, skb_gro_flush_final_remcsum(), used in VXLAN and
GUE.

Fixes: 37c8947cca61 ("net: Add a skb_gro_flush_final helper.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

drivers/net/geneve.c		diff \| blob \| history
drivers/net/vxlan.c		diff \| blob \| history
include/linux/netdevice.h		diff \| blob \| history
net/8021q/vlan.c		diff \| blob \| history
net/ipv4/fou.c		diff \| blob \| history
net/ipv4/gre_offload.c		diff \| blob \| history
net/ipv4/udp_offload.c		diff \| blob \| history