>From fd023edd911ef12aca38a72b40241661c202684f Mon Sep 17 00:00:00 2001 From: Ramesh Nagappa <[email protected]> Date: Thu, 27 Sep 2012 10:20:58 -0700 Subject: [PATCH] net: fix neigh_resolve_output can cause skb_under_panic
The retry loop in the neigh_resolve_output() and neigh_connected_output() can add a hard_header without resetting the skb to network header. This causes the skb_push() in dev_hard_header() to fail. Signed-off-by: Ramesh Nagappa <[email protected]> Signed-off-by: Shawn Lu <[email protected]> Reviewed-by: Billie Alsup <[email protected]> Reviewed-by: Robert Coulson <[email protected]> --- net/core/neighbour.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 96bb0a3..5a3dfec5 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1327,6 +1327,7 @@ int neigh_resolve_output(struct sk_buff *skb) do { seq = read_seqbegin(&neigh->ha_lock); + __skb_pull(skb, skb_network_offset(skb)); err = dev_hard_header(skb, dev, ntohs(skb->protocol), neigh->ha, NULL, skb->len); } while (read_seqretry(&neigh->ha_lock, seq)); @@ -1358,10 +1359,10 @@ int neigh_connected_output(struct sk_buff *skb) struct net_device *dev = neigh->dev; unsigned int seq; - __skb_pull(skb, skb_network_offset(skb)); do { seq = read_seqbegin(&neigh->ha_lock); + __skb_pull(skb, skb_network_offset(skb)); err = dev_hard_header(skb, dev, ntohs(skb->protocol), neigh->ha, NULL, skb->len); } while (read_seqretry(&neigh->ha_lock, seq)); -- 1.7.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
