Transport mode xfrm_gro

[Herbert Xu]

Hi Steffen:

I'm looking at the function xfrm_input near the end where it deals
with transport mode packets:

                err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || 
async);
                if (xfrm_gro) {
                        if (skb->sp)
                                skb->sp->olen = 0;
                        skb_dst_drop(skb);
                        gro_cells_receive(&gro_cells, skb);
                        return err;
                }

This looks wrong because in transport mode, transport_finish is
well within its rights to consume and free the skb.  For example,
IPv4 transport_finish eventually calls xfrm4_rcv_encap_finish which
does:

        if (!skb_dst(skb)) {
                const struct iphdr *iph = ip_hdr(skb);

                if (ip_route_input_noref(skb, iph->daddr, iph->saddr,
                                         iph->tos, skb->dev))
                        goto drop;
        }
        return dst_input(skb);
drop:
        kfree_skb(skb);
        return NET_RX_DROP;

Whichever path it takes the skb is either gone or belongs to someone
else.

So why is xfrm_input in the xfrm_gro case trying to reinject the
skb into the network stack?

Cheers,
-- 
Email: Herbert Xu <herb...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt