From: Xin Long <lucien....@gmail.com>
Date: Mon, 23 Sep 2019 17:02:46 +0800
> Fei Liu reported a crash when doing netperf on a topo of macsec
> dev over veth:
...
> The issue was caused by skb's true_size changed without its sk's
> sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the
> skb is being freed and the skb's truesize is subtracted from its
> sk's sk_wmem_alloc in tcp_wfree(), underflow occurs.
>
> macsec is calling gro_cells_receive() to receive a packet, which
> actually requires skb->sk to be NULL. However when macsec dev is
> over veth, it's possible the skb->sk is still set if the skb was
> not unshared or expanded from the peer veth.
>
> ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy,
> but it is too late for macsec's calling gro_cells_receive(). So
> fix it by dropping the skb's sk earlier on rx path of macsec.
>
> Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices")
> Reported-by: Xiumei Mu <x...@redhat.com>
> Reported-by: Fei Liu <fe...@redhat.com>
> Signed-off-by: Xin Long <lucien....@gmail.com>
Applied and queued up for -stable, thank you.
