[Devel] [PATCH RHEL7 COMMIT] ms/ipv4: ip_do_fragment: fix headroom tests

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jul 17 17:57:33 MSK 2017 

Please consider to prepare a ReadyKernel patch for it.

https://readykernel.com/

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 07/17/2017 05:56 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh7-3.10.0-514.26.1.vz7.33.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh7-3.10.0-514.26.1.vz7.33.8
> ------>
> commit fdcf72515c5b548142d8913b3003447a4cbbefe2
> Author: Vasily Averin <vvs at virtuozzo.com>
> Date:   Mon Jul 17 18:56:14 2017 +0400
>
>     ms/ipv4: ip_do_fragment: fix headroom tests
>
>     Some time ago David Woodhouse reported skb_under_panic
>     when we try to push ethernet header to fragmented ipv6 skbs.
>     It was fixed for ipv6 by Florian Westphal in
>     commit 1d325d217c7f ("ipv6: ip6_fragment: fix headroom tests and skb leak")
>
>     However similar problem still exist in ipv4.
>
>     It does not trigger skb_under_panic due paranoid check
>     in ip_finish_output2, however according to Alexey Kuznetsov
>     current state is abnormal and ip_fragment should be fixed too.
>
>     https://jira.sw.ru/browse/PSBM-68362
>
>     Applied to netdev@ repo:
>     https://patchwork.ozlabs.org/patch/788222/
>
>     Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
> ---
>  net/ipv4/ip_output.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 85274fa..84cbbe7 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -560,6 +560,7 @@ int ip_do_fragment(struct sock *sk, struct sk_buff *skb,
>  	hlen = iph->ihl * 4;
>  	mtu = mtu - hlen;	/* Size of data space */
>  	IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE;
> +	ll_rs = LL_RESERVED_SPACE(rt->dst.dev);
>
>  	/* When frag_list is given, use it. First, check its validity:
>  	 * some transformers could create wrong frag_list or break existing
> @@ -575,14 +576,15 @@ int ip_do_fragment(struct sock *sk, struct sk_buff *skb,
>  		if (first_len - hlen > mtu ||
>  		    ((first_len - hlen) & 7) ||
>  		    ip_is_fragment(iph) ||
> -		    skb_cloned(skb))
> +		    skb_cloned(skb) ||
> +		    skb_headroom(skb) < ll_rs)
>  			goto slow_path;
>
>  		skb_walk_frags(skb, frag) {
>  			/* Correct geometry. */
>  			if (frag->len > mtu ||
>  			    ((frag->len & 7) && frag->next) ||
> -			    skb_headroom(frag) < hlen)
> +			    skb_headroom(frag) < hlen + ll_rs)
>  				goto slow_path_clean;
>
>  			/* Partially cloned skb? */
> @@ -672,8 +674,6 @@ int ip_do_fragment(struct sock *sk, struct sk_buff *skb,
>  	left = skb->len - hlen;		/* Space per frame */
>  	ptr = hlen;		/* Where to start from */
>
> -	ll_rs = LL_RESERVED_SPACE(rt->dst.dev);
> -
>  	/*
>  	 *	Fragment the datagram.
>  	 */
> .
>

More information about the Devel mailing list