Commit 00b229f7 authored by Paolo Abeni's avatar Paolo Abeni Committed by Jakub Kicinski

net: fix GSO for SG-enabled devices

The commit dbd50f23 ("net: move the hsize check to the else
block in skb_segment") introduced a data corruption for devices
supporting scatter-gather.

The problem boils down to signed/unsigned comparison given
unexpected results: if signed 'hsize' is negative, it will be
considered greater than a positive 'len', which is unsigned.

This commit addresses resorting to the old checks order, so that
'hsize' never has a negative value when compared with 'len'.

v1 -> v2:
 - reorder hsize checks instead of explicit cast (Alex)
Bisected-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
Fixes: dbd50f23 ("net: move the hsize check to the else block in skb_segment")
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/861947c2d2d087db82af93c21920ce8147d15490.1611074818.git.pabeni@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent fc6f89dd
...@@ -3938,10 +3938,10 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, ...@@ -3938,10 +3938,10 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
skb_release_head_state(nskb); skb_release_head_state(nskb);
__skb_push(nskb, doffset); __skb_push(nskb, doffset);
} else { } else {
if (hsize < 0)
hsize = 0;
if (hsize > len || !sg) if (hsize > len || !sg)
hsize = len; hsize = len;
else if (hsize < 0)
hsize = 0;
nskb = __alloc_skb(hsize + doffset + headroom, nskb = __alloc_skb(hsize + doffset + headroom,
GFP_ATOMIC, skb_alloc_rx_flag(head_skb), GFP_ATOMIC, skb_alloc_rx_flag(head_skb),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment