• Sabrina Dubroca's avatar
    net: fix use-after-free in GRO with ESP · 603d4cf8
    Sabrina Dubroca authored
    Since the addition of GRO for ESP, gro_receive can consume the skb and
    return -EINPROGRESS. In that case, the lower layer GRO handler cannot
    touch the skb anymore.
    
    Commit 5f114163 ("net: Add a skb_gro_flush_final helper.") converted
    some of the gro_receive handlers that can lead to ESP's gro_receive so
    that they wouldn't access the skb when -EINPROGRESS is returned, but
    missed other spots, mainly in tunneling protocols.
    
    This patch finishes the conversion to using skb_gro_flush_final(), and
    adds a new helper, skb_gro_flush_final_remcsum(), used in VXLAN and
    GUE.
    
    Fixes: 5f114163 ("net: Add a skb_gro_flush_final helper.")
    Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
    Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    603d4cf8
vxlan.c 95.9 KB