From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Tue, 2 Apr 2019 06:16:03 +0000 (+0200)
Subject: net-gro: Fix GRO flush when receiving a GSO packet.
X-Git-Tag: Ubuntu-4.15.0-61.68~2344
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=8629e4001fd12769821066adde91315f44bb9e7a;p=mirror_ubuntu-bionic-kernel.git

net-gro: Fix GRO flush when receiving a GSO packet.

BugLink: https://bugs.launchpad.net/bugs/1838116

[ Upstream commit 0ab03f353d3613ea49d1f924faf98559003670a8 ]

Currently we may merge incorrectly a received GSO packet
or a packet with frag_list into a packet sitting in the
gro_hash list. skb_segment() may crash case because
the assumptions on the skb layout are not met.
The correct behaviour would be to flush the packet in the
gro_hash list and send the received GSO packet directly
afterwards. Commit d61d072e87c8e ("net-gro: avoid reorders")
sets NAPI_GRO_CB(skb)->flush in this case, but this is not
checked before merging. This patch makes sure to check this
flag and to not merge in that case.

Fixes: d61d072e87c8e ("net-gro: avoid reorders")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d1820b1de0f9..8f37d184f600 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3807,7 +3807,7 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 	struct sk_buff *lp, *p = *head;
 	unsigned int delta_truesize;
 
-	if (unlikely(p->len + len >= 65536))
+	if (unlikely(p->len + len >= 65536 || NAPI_GRO_CB(skb)->flush))
 		return -E2BIG;
 
 	lp = NAPI_GRO_CB(p)->last;