]>
Commit | Line | Data |
---|---|---|
e6d488dc GKH |
1 | From foo@baz Tue Jun 12 11:38:32 CEST 2018 |
2 | From: Willem de Bruijn <willemb@google.com> | |
3 | Date: Thu, 24 May 2018 18:10:30 -0400 | |
4 | Subject: packet: fix reserve calculation | |
5 | ||
6 | From: Willem de Bruijn <willemb@google.com> | |
7 | ||
8 | [ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ] | |
9 | ||
10 | Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link | |
11 | layer allocation") ensures that packet_snd always starts writing | |
12 | the link layer header in reserved headroom allocated for this | |
13 | purpose. | |
14 | ||
15 | This is needed because packets may be shorter than hard_header_len, | |
16 | in which case the space up to hard_header_len may be zeroed. But | |
17 | that necessary padding is not accounted for in skb->len. | |
18 | ||
19 | The fix, however, is buggy. It calls skb_push, which grows skb->len | |
20 | when moving skb->data back. But in this case packet length should not | |
21 | change. | |
22 | ||
23 | Instead, call skb_reserve, which moves both skb->data and skb->tail | |
24 | back, without changing length. | |
25 | ||
26 | Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") | |
27 | Reported-by: Tariq Toukan <tariqt@mellanox.com> | |
28 | Signed-off-by: Willem de Bruijn <willemb@google.com> | |
29 | Acked-by: Soheil Hassas Yeganeh <soheil@google.com> | |
30 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
31 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
32 | --- | |
33 | net/packet/af_packet.c | 2 +- | |
34 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
35 | ||
36 | --- a/net/packet/af_packet.c | |
37 | +++ b/net/packet/af_packet.c | |
38 | @@ -2918,7 +2918,7 @@ static int packet_snd(struct socket *soc | |
39 | if (unlikely(offset < 0)) | |
40 | goto out_free; | |
41 | } else if (reserve) { | |
42 | - skb_push(skb, reserve); | |
43 | + skb_reserve(skb, -reserve); | |
44 | } | |
45 | ||
46 | /* Returns -EFAULT on error */ |