[PATCH 0/5] skbuff: fix skb_segment with zero copy skbs

[Michael S. Tsirkin]

This fixes a bug in skb_segment where it moves frags
between skbs without orphaning them.
This causes userspace to assume it's safe to
reuse the buffer, and receiver gets corrupted data.
This further might leak information from the
transmitter on the wire.

To fix track which skb does a copied frag belong
to, and orphan frags when copying them.

As we are tracking multiple skbs here, using
short names (skb,nskb,fskb,skb_frag,frag) becomes confusing.
So before adding another one, I refactor these names
slightly.

Patch is split out to make it easier to
verify that all trasformations are trivially correct.

The problem was observed in the field,
so I think that the patch is necessary on stable
as well.

Michael S. Tsirkin (5):
  skbuff: skb_segment: s/frag/nskb_frag/
  skbuff: skb_segment: s/skb_frag/frag/
  skbuff: skb_segment: s/skb/head_skb/
  skbuff: skb_segment: s/fskb/list_skb/
  skbuff: skb_segment: orphan frags before copying

 net/core/skbuff.c | 100 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 54 insertions(+), 46 deletions(-)

-- 
MST

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/