[ 31/42] net: Fix skb_under_panic oops in neigh_resolve_output

From: Greg Kroah-Hartman
Date: Thu Oct 25 2012 - 20:35:10 EST

Next message: Greg Kroah-Hartman: "[ 27/42] usb: dwc3: gadget: fix endpoint always busy bug"
Previous message: Greg Kroah-Hartman: "[ 30/42] infiniband: pass rdma_cm module to netlink_dump_start"
In reply to: Greg Kroah-Hartman: "[ 30/42] infiniband: pass rdma_cm module to netlink_dump_start"
Next in thread: Greg Kroah-Hartman: "[ 27/42] usb: dwc3: gadget: fix endpoint always busy bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: "ramesh.nagappa@xxxxxxxxx" <ramesh.nagappa@xxxxxxxxx>

[ Upstream commit e1f165032c8bade3a6bdf546f8faf61fda4dd01c ]

The retry loop in neigh_resolve_output() and neigh_connected_output()
call dev_hard_header() with out reseting the skb to network_header.
This causes the retry to fail with skb_under_panic. The fix is to
reset the network_header within the retry loop.

Signed-off-by: Ramesh Nagappa <ramesh.nagappa@xxxxxxxxxxxx>
Reviewed-by: Shawn Lu <shawn.lu@xxxxxxxxxxxx>
Reviewed-by: Robert Coulson <robert.coulson@xxxxxxxxxxxx>
Reviewed-by: Billie Alsup <billie.alsup@xxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/core/neighbour.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1285,8 +1285,6 @@ int neigh_resolve_output(struct neighbou
if (!dst)
goto discard;

- __skb_pull(skb, skb_network_offset(skb));
-
if (!neigh_event_send(neigh, skb)) {
int err;
struct net_device *dev = neigh->dev;
@@ -1296,6 +1294,7 @@ int neigh_resolve_output(struct neighbou
neigh_hh_init(neigh, dst);

do {
+ __skb_pull(skb, skb_network_offset(skb));
seq = read_seqbegin(&neigh->ha_lock);
err = dev_hard_header(skb, dev, ntohs(skb->protocol),
neigh->ha, NULL, skb->len);
@@ -1326,9 +1325,8 @@ int neigh_connected_output(struct neighb
unsigned int seq;
int err;

- __skb_pull(skb, skb_network_offset(skb));
-
do {
+ __skb_pull(skb, skb_network_offset(skb));
seq = read_seqbegin(&neigh->ha_lock);
err = dev_hard_header(skb, dev, ntohs(skb->protocol),
neigh->ha, NULL, skb->len);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[ 27/42] usb: dwc3: gadget: fix endpoint always busy bug"
Previous message: Greg Kroah-Hartman: "[ 30/42] infiniband: pass rdma_cm module to netlink_dump_start"
In reply to: Greg Kroah-Hartman: "[ 30/42] infiniband: pass rdma_cm module to netlink_dump_start"
Next in thread: Greg Kroah-Hartman: "[ 27/42] usb: dwc3: gadget: fix endpoint always busy bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]