[PATCH] net: fix sk_buff head without data area

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net: fix sk_buff head without data area
@ 2013-06-03 19:28 Pablo Neira Ayuso
  2013-06-05  0:27 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-03 19:28 UTC (permalink / raw)
  To: netdev; +Cc: eric.dumazet, davem

Eric Dumazet spotted that we have to check skb->head instead
of skb->data as skb->head points to the beginning of the
data area of the skbuff. Similarly, we have to initialize the
skb->head pointer, not skb->data in __alloc_skb_head.

After this fix, netlink crashes in the release path of the
sk_buff, so let's fix that as well.

This bug was introduced in (0ebd0ac net: add function to
allocate sk_buff head without data area).

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/core/skbuff.c        |    4 ++--
 net/netlink/af_netlink.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d629891..98ed66a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -195,7 +195,7 @@ struct sk_buff *__alloc_skb_head(gfp_t gfp_mask, int node)
 	 * the tail pointer in struct sk_buff!
 	 */
 	memset(skb, 0, offsetof(struct sk_buff, tail));
-	skb->data = NULL;
+	skb->head = NULL;
 	skb->truesize = sizeof(struct sk_buff);
 	atomic_set(&skb->users, 1);
 
@@ -611,7 +611,7 @@ static void skb_release_head_state(struct sk_buff *skb)
 static void skb_release_all(struct sk_buff *skb)
 {
 	skb_release_head_state(skb);
-	if (likely(skb->data))
+	if (likely(skb->head))
 		skb_release_data(skb);
 }
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 12ac6b4..d0b3dd6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -747,7 +747,7 @@ static void netlink_skb_destructor(struct sk_buff *skb)
 		atomic_dec(&ring->pending);
 		sock_put(sk);
 
-		skb->data = NULL;
+		skb->head = NULL;
 	}
 #endif
 	if (skb->sk != NULL)
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] net: fix sk_buff head without data area
  2013-06-03 19:28 [PATCH] net: fix sk_buff head without data area Pablo Neira Ayuso
@ 2013-06-05  0:27 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2013-06-05  0:27 UTC (permalink / raw)
  To: pablo; +Cc: netdev, eric.dumazet

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon,  3 Jun 2013 21:28:43 +0200

> Eric Dumazet spotted that we have to check skb->head instead
> of skb->data as skb->head points to the beginning of the
> data area of the skbuff. Similarly, we have to initialize the
> skb->head pointer, not skb->data in __alloc_skb_head.
> 
> After this fix, netlink crashes in the release path of the
> sk_buff, so let's fix that as well.
> 
> This bug was introduced in (0ebd0ac net: add function to
> allocate sk_buff head without data area).
> 
> Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-06-05  0:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-03 19:28 [PATCH] net: fix sk_buff head without data area Pablo Neira Ayuso
2013-06-05  0:27 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).