This is a note to let you know that I've just added the patch titled
ipv6: fix headroom calculation in udp6_ufo_fragment
to the 3.12-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
and it can be found in the queue-3.12 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Thu Dec 5 16:16:37 PST 2013
From: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 5 Nov 2013 02:41:27 +0100
Subject: ipv6: fix headroom calculation in udp6_ufo_fragment
From: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>
[ Upstream commit 0e033e04c2678dbbe74a46b23fffb7bb918c288e ]
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
fragmentation for tunnel traffic.") changed the calculation if
there is enough space to include a fragment header in the skb from a
skb->mac_header dervived one to skb_headroom. Because we already peeled
off the skb to transport_header this is wrong. Change this back to check
if we have enough room before the mac_header.
This fixes a panic Saran Neti reported. He used the tbf scheduler which
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
because the skb was erroneously not expanded at the head.
Reported-by: Saran Neti <Saran.Neti@xxxxxxxxx>
Cc: Pravin B Shelar <pshelar@xxxxxxxxxx>
Signed-off-by: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv6/udp_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment
/* Check if there is enough headroom to insert fragment header. */
tnl_hlen = skb_tnl_header_len(skb);
- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
goto out;
}
Patches currently in stable-queue which might be from hannes@xxxxxxxxxxxxxxxxxxx are
queue-3.12/ipv6-fix-inet6_init-cleanup-order.patch
queue-3.12/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
queue-3.12/ping-prevent-null-pointer-dereference-on-write-to-msg_name.patch
queue-3.12/inet-prevent-leakage-of-uninitialized-memory-to-user-in-recv-syscalls.patch
queue-3.12/net-rework-recvmsg-handler-msg_name-and-msg_namelen-logic.patch
queue-3.12/ipv6-fix-possible-seqlock-deadlock-in-ip6_finish_output2.patch
queue-3.12/net-add-bug_on-if-kernel-advertises-msg_namelen-sizeof-struct-sockaddr_storage.patch
queue-3.12/ipv6-use-rt6_get_dflt_router-to-get-default-router-in.patch
queue-3.12/random32-fix-off-by-one-in-seeding-requirement.patch
queue-3.12/inet-fix-possible-seqlock-deadlocks.patch
queue-3.12/inet-fix-addr_len-msg-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch
queue-3.12/ipv6-protect-for_each_sk_fl_rcu-in-mem_check-with.patch
queue-3.12/ipv6-fix-leaking-uninitialized-port-number-of-offender-sockaddr.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html