From: Patrick McHardy <kaber@trash.net>
Date: Tue, 1 Dec 2009 23:53:57 +0000 (-0800)
Subject: ip_fragment: also adjust skb->truesize for packets not owned by a socket
X-Git-Tag: firefly_0821_release~11625^2~526
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=42d8bd7737a65b535d3247392b11fcd0f32303fe;p=firefly-linux-kernel-4.4.55.git

ip_fragment: also adjust skb->truesize for packets not owned by a socket

[ Upstream commit b2722b1c3a893ec6021508da15b32282ec79f4da ]

When a large packet gets reassembled by ip_defrag(), the head skb
accounts for all the fragments in skb->truesize. If this packet is
refragmented again, skb->truesize is not re-adjusted to reflect only
the head size since its not owned by a socket. If the head fragment
then gets recycled and reused for another received fragment, it might
exceed the defragmentation limits due to its large truesize value.

skb_recycle_check() explicitly checks for linear skbs, so any recycled
skb should reflect its true size in skb->truesize. Change ip_fragment()
to also adjust the truesize value of skbs not owned by a socket.

Reported-and-tested-by: Ben Menchaca <ben@bigfootnetworks.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index f9895180f481..4d50daab0c3e 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -501,8 +501,8 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 			if (skb->sk) {
 				frag->sk = skb->sk;
 				frag->destructor = sock_wfree;
-				truesizes += frag->truesize;
 			}
+			truesizes += frag->truesize;
 		}
 
 		/* Everything is OK. Generate! */