From: Jacob Wen <jian.w....@oracle.com>
Date: Wed, 30 Jan 2019 14:55:14 +0800
> Use pskb_may_pull() to make sure the optional fields are in skb linear
> parts, so we can safely read them later.
>
> It's easy to reproduce the issue with a net driver that supports paged
> skb data. Just create a L2TPv3 over IP tunnel and then generates some
> network traffic.
> Once reproduced, rx err in /sys/kernel/debug/l2tp/tunnels will increase.
>
> Changes in v4:
> 1. s/l2tp_v3_pull_opt/l2tp_v3_ensure_opt_in_linear/
> 2. s/tunnel->version != L2TP_HDR_VER_2/tunnel->version == L2TP_HDR_VER_3/
> 3. Add 'Fixes' in commit messages.
>
> Changes in v3:
> 1. To keep consistency, move the code out of l2tp_recv_common.
> 2. Use "net" instead of "net-next", since this is a bug fix.
>
> Changes in v2:
> 1. Only fix L2TPv3 to make code simple.
> To fix both L2TPv3 and L2TPv2, we'd better refactor l2tp_recv_common.
> It's complicated to do so.
> 2. Reloading pointers after pskb_may_pull
>
> Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
> Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
> Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for
> IPv6")
>
> Signed-off-by: Jacob Wen <jian.w....@oracle.com>
> Acked-by: Guillaume Nault <gna...@redhat.com>
Applied and queued up for -stable, thanks.
