[VLAN/BRIDGE]: Fix "skb_pull_rcsum - Fatal exception in interrupt"
I tried to preserve bridging code as it was before, but logic is quite strange - I think we should free skb on error, since it is already unshared and thus will just leak. Herbert Xu states: > + if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL) > + goto out; If this happens it'll be a double-free on skb since we'll return NF_DROP which makes the caller free it too. We could return NF_STOLEN to prevent that but I'm not sure whether that's correct netfilter semantics. Patrick, could you please make a call on this? Patrick McHardy states: NF_STOLEN should work fine here. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
7c8347a91d
commit
e7c243c925
2 changed files with 18 additions and 6 deletions
|
@ -116,12 +116,22 @@ int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
|
|||
struct packet_type* ptype, struct net_device *orig_dev)
|
||||
{
|
||||
unsigned char *rawp = NULL;
|
||||
struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data);
|
||||
struct vlan_hdr *vhdr;
|
||||
unsigned short vid;
|
||||
struct net_device_stats *stats;
|
||||
unsigned short vlan_TCI;
|
||||
__be16 proto;
|
||||
|
||||
if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
|
||||
return -1;
|
||||
|
||||
if (unlikely(!pskb_may_pull(skb, VLAN_HLEN))) {
|
||||
kfree_skb(skb);
|
||||
return -1;
|
||||
}
|
||||
|
||||
vhdr = (struct vlan_hdr *)(skb->data);
|
||||
|
||||
/* vlan_TCI = ntohs(get_unaligned(&vhdr->h_vlan_TCI)); */
|
||||
vlan_TCI = ntohs(vhdr->h_vlan_TCI);
|
||||
|
||||
|
|
|
@ -509,8 +509,14 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
|
|||
int (*okfn)(struct sk_buff *))
|
||||
{
|
||||
struct iphdr *iph;
|
||||
__u32 len;
|
||||
struct sk_buff *skb = *pskb;
|
||||
__u32 len = nf_bridge_encap_header_len(skb);
|
||||
|
||||
if ((skb = skb_share_check(skb, GFP_ATOMIC)) == NULL)
|
||||
return NF_STOLEN;
|
||||
|
||||
if (unlikely(!pskb_may_pull(skb, len)))
|
||||
goto out;
|
||||
|
||||
if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
|
||||
IS_PPPOE_IPV6(skb)) {
|
||||
|
@ -518,8 +524,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
|
|||
if (!brnf_call_ip6tables)
|
||||
return NF_ACCEPT;
|
||||
#endif
|
||||
if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
|
||||
goto out;
|
||||
nf_bridge_pull_encap_header_rcsum(skb);
|
||||
return br_nf_pre_routing_ipv6(hook, skb, in, out, okfn);
|
||||
}
|
||||
|
@ -532,8 +536,6 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff **pskb,
|
|||
!IS_PPPOE_IP(skb))
|
||||
return NF_ACCEPT;
|
||||
|
||||
if ((skb = skb_share_check(*pskb, GFP_ATOMIC)) == NULL)
|
||||
goto out;
|
||||
nf_bridge_pull_encap_header_rcsum(skb);
|
||||
|
||||
if (!pskb_may_pull(skb, sizeof(struct iphdr)))
|
||||
|
|
Loading…
Reference in a new issue