summaryrefslogtreecommitdiffstats
path: root/net/ipv6/route.c
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2011-10-14 06:57:46 +0200
committerDavid S. Miller <davem@davemloft.net>2011-10-20 22:20:30 +0200
commit113ab386c7d6625cff284fb10952ff69a58c18a4 (patch)
tree1334a0c133d6348f72619fdc502088644fba1c3b /net/ipv6/route.c
parentMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc (diff)
downloadlinux-113ab386c7d6625cff284fb10952ff69a58c18a4.tar.xz
linux-113ab386c7d6625cff284fb10952ff69a58c18a4.zip
ip_gre: dont increase dev->needed_headroom on a live device
It seems ip_gre is able to change dev->needed_headroom on the fly. Its is not legal unfortunately and triggers a BUG in raw_sendmsg() skb = sock_alloc_send_skb(sk, ... + LL_ALLOCATED_SPACE(rt->dst.dev) < another cpu change dev->needed_headromm (making it bigger) ... skb_reserve(skb, LL_RESERVED_SPACE(rt->dst.dev)); We end with LL_RESERVED_SPACE() being bigger than LL_ALLOCATED_SPACE() -> we crash later because skb head is exhausted. Bug introduced in commit 243aad83 in 2.6.34 (ip_gre: include route header_len in max_headroom calculation) Reported-by: Elmar Vonlanthen <evonlanthen@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Timo Teräs <timo.teras@iki.fi> CC: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/route.c')
0 files changed, 0 insertions, 0 deletions