esp: Fix locking on page fragment allocation
We allocate the page fragment for the ESP trailer inside a spinlock, but consume it outside of the lock. This is racy as some other cou could get the same page fragment then. Fix this by consuming the page fragment inside the lock too. Fixes:cac2661c53
("esp4: Avoid skb_cow_data whenever possible") Fixes:03e2a30f6a
("esp6: Avoid skb_cow_data whenever possible") Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
parent
8a4b5784fa
commit
36ff0dd39f
|
@ -292,8 +292,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
|
|||
|
||||
kunmap_atomic(vaddr);
|
||||
|
||||
spin_unlock_bh(&x->lock);
|
||||
|
||||
nfrags = skb_shinfo(skb)->nr_frags;
|
||||
|
||||
__skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
|
||||
|
@ -301,6 +299,9 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
|
|||
skb_shinfo(skb)->nr_frags = ++nfrags;
|
||||
|
||||
pfrag->offset = pfrag->offset + allocsize;
|
||||
|
||||
spin_unlock_bh(&x->lock);
|
||||
|
||||
nfrags++;
|
||||
|
||||
skb->len += tailen;
|
||||
|
|
|
@ -260,8 +260,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
|
|||
|
||||
kunmap_atomic(vaddr);
|
||||
|
||||
spin_unlock_bh(&x->lock);
|
||||
|
||||
nfrags = skb_shinfo(skb)->nr_frags;
|
||||
|
||||
__skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
|
||||
|
@ -269,6 +267,9 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
|
|||
skb_shinfo(skb)->nr_frags = ++nfrags;
|
||||
|
||||
pfrag->offset = pfrag->offset + allocsize;
|
||||
|
||||
spin_unlock_bh(&x->lock);
|
||||
|
||||
nfrags++;
|
||||
|
||||
skb->len += tailen;
|
||||
|
|
Loading…
Reference in New Issue