1 From 11296f76ac9c54c6baf15d74d5a0aa1363cf1897 Mon Sep 17 00:00:00 2001
2 From: Steffen Klassert <steffen.klassert@secunet.com>
3 Date: Tue, 2 Apr 2019 08:16:03 +0200
4 Subject: net-gro: Fix GRO flush when receiving a GSO packet.
6 [ Upstream commit 0ab03f353d3613ea49d1f924faf98559003670a8 ]
8 Currently we may merge incorrectly a received GSO packet
9 or a packet with frag_list into a packet sitting in the
10 gro_hash list. skb_segment() may crash case because
11 the assumptions on the skb layout are not met.
12 The correct behaviour would be to flush the packet in the
13 gro_hash list and send the received GSO packet directly
14 afterwards. Commit d61d072e87c8e ("net-gro: avoid reorders")
15 sets NAPI_GRO_CB(skb)->flush in this case, but this is not
16 checked before merging. This patch makes sure to check this
17 flag and to not merge in that case.
19 Fixes: d61d072e87c8e ("net-gro: avoid reorders")
20 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
21 Signed-off-by: David S. Miller <davem@davemloft.net>
22 Signed-off-by: Sasha Levin <sashal@kernel.org>
24 net/core/skbuff.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
27 diff --git a/net/core/skbuff.c b/net/core/skbuff.c
28 index 8656b1e20d35..ceee28e184af 100644
29 --- a/net/core/skbuff.c
30 +++ b/net/core/skbuff.c
31 @@ -3832,7 +3832,7 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
32 unsigned int delta_truesize;
35 - if (unlikely(p->len + len >= 65536))
36 + if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
39 lp = NAPI_GRO_CB(p)->last;