Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux

net: Fix a memmove bug in dev_gro_receive()

>Xin Xiaohui wrote:
> I looked into the code dev_gro_receive(), found the code here:
> if the frags[0] is pulled to 0, then the page will be released,
> and memmove() frags left.
> Is that right? I'm not sure if memmove do right or not, but
> frags[0].size is never set after memove at least. what I think
> a simple way is not to do anything if we found frags[0].size == 0.
> The patch is as followed.
...

This version of the patch fixes the bug directly in memmove.

Reported-by: "Xin, Xiaohui" <xiaohui.xin@intel.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Jarek Poplawski and committed by
David S. Miller
e5093aec 1c40be12

+1 -1
+1 -1
net/core/dev.c
··· 3143 3143 put_page(skb_shinfo(skb)->frags[0].page); 3144 3144 memmove(skb_shinfo(skb)->frags, 3145 3145 skb_shinfo(skb)->frags + 1, 3146 - --skb_shinfo(skb)->nr_frags); 3146 + --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t)); 3147 3147 } 3148 3148 } 3149 3149