Message ID | 1558023948-9428-1-git-send-email-u9012063@gmail.com |
---|---|
State | Changes Requested |
Delegated to: | David Miller |
Headers | show |
Series | [net] net: ip6_gre: access skb data after skb_cow_head() | expand |
From: William Tu <u9012063@gmail.com> Date: Thu, 16 May 2019 09:25:48 -0700 > When increases the headroom, skb's pointer might get re-allocated. > Fix it by moving skb_cow_head before accessing the skb->data pointer. > > Fixes: 01b8d064d58b4 ("net: ip6_gre: Request headroom in __gre6_xmit()") > Reported-by: Haichao Ma <haichaom@vmware.com> > Signed-off-by: William Tu <u9012063@gmail.com> I don't understand the problem. The fl6->daddr assignments are object copies, not pointer assignments. So there are no dangling pointer references I can see. Also, you need to explain exactly what dangling pointer is the problem in your commit message.
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index 655e46b227f9..90b2b129b105 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -714,6 +714,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, struct ip6_tnl *tunnel = netdev_priv(dev); __be16 protocol; + if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) + return -ENOMEM; + if (dev->type == ARPHRD_ETHER) IPCB(skb)->flags = 0; @@ -722,9 +725,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, else fl6->daddr = tunnel->parms.raddr; - if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) - return -ENOMEM; - /* Push GRE header. */ protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto;
When increases the headroom, skb's pointer might get re-allocated. Fix it by moving skb_cow_head before accessing the skb->data pointer. Fixes: 01b8d064d58b4 ("net: ip6_gre: Request headroom in __gre6_xmit()") Reported-by: Haichao Ma <haichaom@vmware.com> Signed-off-by: William Tu <u9012063@gmail.com> --- net/ipv6/ip6_gre.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)