diff options
author | Steffen Klassert <steffen.klassert@secunet.com> | 2017-08-25 07:16:07 +0200 |
---|---|---|
committer | Steffen Klassert <steffen.klassert@secunet.com> | 2017-08-25 09:26:12 +0200 |
commit | 36ff0dd39f9b88ca83e1733b735e9f22b7be893b (patch) | |
tree | 4630219935215d5488958b705ee3a84ffccf17bf /net/ipv6/esp6.c | |
parent | net: xfrm: don't double-hold dst when sk_policy in use. (diff) | |
download | linux-36ff0dd39f9b88ca83e1733b735e9f22b7be893b.tar.xz linux-36ff0dd39f9b88ca83e1733b735e9f22b7be893b.zip |
esp: Fix locking on page fragment allocation
We allocate the page fragment for the ESP trailer inside
a spinlock, but consume it outside of the lock. This
is racy as some other cou could get the same page fragment
then. Fix this by consuming the page fragment inside the
lock too.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/ipv6/esp6.c')
-rw-r--r-- | net/ipv6/esp6.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 392def1fcf21..4e3fdc888943 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -260,8 +260,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info kunmap_atomic(vaddr); - spin_unlock_bh(&x->lock); - nfrags = skb_shinfo(skb)->nr_frags; __skb_fill_page_desc(skb, nfrags, page, pfrag->offset, @@ -269,6 +267,9 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info skb_shinfo(skb)->nr_frags = ++nfrags; pfrag->offset = pfrag->offset + allocsize; + + spin_unlock_bh(&x->lock); + nfrags++; skb->len += tailen; |