[thirdparty/kernel/stable-queue.git] / releases / 4.9.108 / packet-fix-reserve-calculation.patch

From foo@baz Tue Jun 12 11:38:32 CEST 2018
From: Willem de Bruijn <willemb@google.com>
Date: Thu, 24 May 2018 18:10:30 -0400
Subject: packet: fix reserve calculation

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ]

Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
layer allocation") ensures that packet_snd always starts writing
the link layer header in reserved headroom allocated for this
purpose.

This is needed because packets may be shorter than hard_header_len,
in which case the space up to hard_header_len may be zeroed. But
that necessary padding is not accounted for in skb->len.

The fix, however, is buggy. It calls skb_push, which grows skb->len
when moving skb->data back. But in this case packet length should not
change.

Instead, call skb_reserve, which moves both skb->data and skb->tail
back, without changing length.

Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
Reported-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/packet/af_packet.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2918,7 +2918,7 @@ static int packet_snd(struct socket *soc
 		if (unlikely(offset < 0))
 			goto out_free;
 	} else if (reserve) {
-		skb_push(skb, reserve);
+		skb_reserve(skb, -reserve);
 	}
 
 	/* Returns -EFAULT on error */
Commit	Line	Data
e6d488dc GKH	1	From foo@baz Tue Jun 12 11:38:32 CEST 2018
	2	From: Willem de Bruijn <willemb@google.com>
	3	Date: Thu, 24 May 2018 18:10:30 -0400
	4	Subject: packet: fix reserve calculation
	5
	6	From: Willem de Bruijn <willemb@google.com>
	7
	8	[ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ]
	9
	10	Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
	11	layer allocation") ensures that packet_snd always starts writing
	12	the link layer header in reserved headroom allocated for this
	13	purpose.
	14
	15	This is needed because packets may be shorter than hard_header_len,
	16	in which case the space up to hard_header_len may be zeroed. But
	17	that necessary padding is not accounted for in skb->len.
	18
	19	The fix, however, is buggy. It calls skb_push, which grows skb->len
	20	when moving skb->data back. But in this case packet length should not
	21	change.
	22
	23	Instead, call skb_reserve, which moves both skb->data and skb->tail
	24	back, without changing length.
	25
	26	Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation")
	27	Reported-by: Tariq Toukan <tariqt@mellanox.com>
	28	Signed-off-by: Willem de Bruijn <willemb@google.com>
	29	Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
	30	Signed-off-by: David S. Miller <davem@davemloft.net>
	31	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	32	---
	33	net/packet/af_packet.c \| 2 +-
	34	1 file changed, 1 insertion(+), 1 deletion(-)
	35
	36	--- a/net/packet/af_packet.c
	37	+++ b/net/packet/af_packet.c
	38	@@ -2918,7 +2918,7 @@ static int packet_snd(struct socket *soc
	39	if (unlikely(offset < 0))
	40	goto out_free;
	41	} else if (reserve) {
	42	- skb_push(skb, reserve);
	43	+ skb_reserve(skb, -reserve);
	44	}
	45
	46	/* Returns -EFAULT on error */