linux/net
Michal Kubeček e44699d2c2 net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
Recently I started seeing warnings about pages with refcount -1. The
problem was traced to packets being reused after their head was merged into
a GRO packet by skb_gro_receive(). While bisecting the issue pointed to
commit c21b48cc1b ("net: adjust skb->truesize in ___pskb_trim()") and
I have never seen it on a kernel with it reverted, I believe the real
problem appeared earlier when the option to merge head frag in GRO was
implemented.

Handling NAPI_GRO_FREE_STOLEN_HEAD state was only added to GRO_MERGED_FREE
branch of napi_skb_finish() so that if the driver uses napi_gro_frags()
and head is merged (which in my case happens after the skb_condense()
call added by the commit mentioned above), the skb is reused including the
head that has been merged. As a result, we release the page reference
twice and eventually end up with negative page refcount.

To fix the problem, handle NAPI_GRO_FREE_STOLEN_HEAD in napi_frags_finish()
the same way it's done in napi_skb_finish().

Fixes: d7e8883cfc ("net: make GRO aware of skb->head_frag")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-29 15:54:13 -04:00
..
6lowpan
9p xen: fixes for 4.12 rc2 2017-05-19 15:06:48 -07:00
802
8021q net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev 2017-06-19 14:10:20 -04:00
appletalk
atm
ax25
batman-adv Here are two batman-adv bugfixes: 2017-06-13 13:46:01 -04:00
bluetooth net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
bpf
bridge net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
caif caif: Add sockaddr length check before accessing sa_family in connect handler 2017-06-13 16:16:11 -04:00
can can: af_can: namespace support: fix lockdep splat: properly initialize spin_lock 2017-06-09 11:39:23 +02:00
ceph libceph: cleanup old messages according to reconnect seq 2017-05-24 18:10:51 +02:00
core net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() 2017-06-29 15:54:13 -04:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-05-15 15:50:49 -07:00
decnet decnet: always not take dst->__refcnt when inserting dst into hash table 2017-06-16 14:59:36 -04:00
dns_resolver
dsa net: dsa: Fix stale cpu_switch reference after unbind then bind 2017-06-04 22:55:17 -04:00
ethernet
hsr hsr: fix incorrect warning 2017-06-12 15:21:20 -04:00
ieee802154 net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
ife
ipv4 tcp: reset sk_rx_dst in tcp_disconnect() 2017-06-25 12:23:07 -04:00
ipv6 net: ipv6: reset daddr and dport in sk if connect() fails 2017-06-25 11:46:56 -04:00
ipx
irda net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
iucv
kcm
key xfrm: NULL dereference on allocation failure 2017-06-14 12:40:49 +02:00
l2tp l2tp: cast l2tp traffic counter to unsigned 2017-06-10 16:14:27 -04:00
l3mdev
lapb
llc net: llc: add lock_sock in llc_ui_bind to avoid a race condition 2017-05-26 14:20:29 -04:00
mac80211 Some fixes: 2017-06-13 13:34:13 -04:00
mac802154 net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
mpls mpls: fix clearing of dead nh_flags on link up 2017-05-31 14:48:24 -04:00
ncsi
netfilter netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize 2017-05-24 11:26:01 +02:00
netlabel
netlink netlink: don't send unknown nsid 2017-06-01 11:49:39 -04:00
netrom
nfc
openvswitch net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
packet net/packet: fix missing net_device reference release 2017-05-15 14:22:12 -04:00
phonet net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
psample
qrtr
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-05-02 16:40:27 -07:00
rfkill
rose
rxrpc rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2017-06-15 14:23:44 -04:00
sched net: sched: Fix one possible panic when no destroy callback 2017-06-29 12:55:12 -04:00
sctp sctp: ensure ep is not destroyed before doing the dump 2017-06-19 15:13:43 -04:00
smc net/smc: Add warning about remote memory exposure 2017-05-16 14:49:43 -04:00
strparser
sunrpc SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() 2017-05-31 12:26:44 -04:00
switchdev
tipc net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse 2017-06-10 18:20:38 -04:00
unix af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers 2017-06-09 10:10:24 -04:00
vmw_vsock vsock: use new wait API for vsock_stream_sendmsg() 2017-05-22 14:39:36 -04:00
wimax
wireless dev_ioctl: copy only the smaller struct iwreq for wext 2017-06-14 13:52:44 +02:00
x25 net: x25: fix one potential use-after-free issue 2017-05-18 10:05:40 -04:00
xfrm xfrm: move xfrm_garbage_collect out of xfrm_policy_flush 2017-06-12 11:51:21 +02:00
compat.c
Kconfig
Makefile
socket.c
sysctl_net.c