summaryrefslogtreecommitdiffstats
path: root/net/ipv4/xfrm4_state.c
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2010-09-18 07:58:08 +0200
committerDavid S. Miller <davem@davemloft.net>2010-09-18 07:58:08 +0200
commit04746ff1289f75af26af279eb4b0b3e231677ee4 (patch)
tree826160df5f9786dd15803b1ebfc14b8e3fa87608 /net/ipv4/xfrm4_state.c
parentdca: disable dca on IOAT ver.3.0 multiple-IOH platforms (diff)
downloadlinux-04746ff1289f75af26af279eb4b0b3e231677ee4.tar.xz
linux-04746ff1289f75af26af279eb4b0b3e231677ee4.zip
qlcnic: dont assume NET_IP_ALIGN is 2
qlcnic driver allocates rx skbs and gives to hardware too bytes of extra storage, allowing for corruption of kernel data. NET_IP_ALIGN being 0 on some platforms (including x86), drivers should not assume it's 2. rds_ring->skb_size = rds_ring->dma_size + NET_IP_ALIGN; ... skb = dev_alloc_skb(rds_ring->skb_size); skb_reserve(skb, 2); pci_map_single(pdev, skb->data, rds_ring->dma_size, PCI_DMA_FROMDEVICE); (and rds_ring->skb_size == rds_ring->dma_size) -> bug Because of extra alignment (1500 + 32) -> four extra bytes are available before the struct skb_shared_info, so corruption is not noticed. Note: this driver could use netdev_alloc_skb_ip_align() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/xfrm4_state.c')
0 files changed, 0 insertions, 0 deletions