This is a note to let you know that I've just added the patch titled vlan: pull on __vlan_insert_tag error path and fix csum correction to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: vlan-pull-on-__vlan_insert_tag-error-path-and-fix-csum-correction.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Mon May 16 11:21:32 PDT 2016 From: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Date: Sat, 16 Apr 2016 02:27:58 +0200 Subject: vlan: pull on __vlan_insert_tag error path and fix csum correction From: Daniel Borkmann <daniel@xxxxxxxxxxxxx> [ Upstream commit 9241e2df4fbc648a92ea0752918e05c26255649e ] When __vlan_insert_tag() fails from skb_vlan_push() path due to the skb_cow_head(), we need to undo the __skb_push() in the error path as well that was done earlier to move skb->data pointer to mac header. Moreover, I noticed that when in the non-error path the __skb_pull() is done and the original offset to mac header was non-zero, we fixup from a wrong skb->data offset in the checksum complete processing. So the skb_postpush_rcsum() really needs to be done before __skb_pull() where skb->data still points to the mac header start and thus operates under the same conditions as in __vlan_insert_tag(). Fixes: 93515d53b133 ("net: move vlan pop/push functions into common code") Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/core/skbuff.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4427,13 +4427,16 @@ int skb_vlan_push(struct sk_buff *skb, _ __skb_push(skb, offset); err = __vlan_insert_tag(skb, skb->vlan_proto, skb_vlan_tag_get(skb)); - if (err) + if (err) { + __skb_pull(skb, offset); return err; + } + skb->protocol = skb->vlan_proto; skb->mac_len += VLAN_HLEN; - __skb_pull(skb, offset); skb_postpush_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN); + __skb_pull(skb, offset); } __vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci); return 0; Patches currently in stable-queue which might be from daniel@xxxxxxxxxxxxx are queue-4.4/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch queue-4.4/vlan-pull-on-__vlan_insert_tag-error-path-and-fix-csum-correction.patch queue-4.4/bpf-fix-refcnt-overflow.patch queue-4.4/bpf-verifier-reject-invalid-ld_abs-bpf_dw-instruction.patch queue-4.4/net-use-skb_postpush_rcsum-instead-of-own-implementations.patch queue-4.4/bpf-fix-check_map_func_compatibility-logic.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html