On cow we can free the old extension: we must avoid dereferencing
such extension after skb_ext_maybe_cow(). Since 'new' contents
are always equal to 'old' after the copy, we can fix the above
accessing the relevant data using 'new'.
Fixes: df5042f4c5b9 ("sk_buff: add skb extension infrastructure")
Signed-off-by: Paolo Abeni <pab...@redhat.com>
Acked-by: Florian Westphal <f...@strlen.de>
---
net/core/skbuff.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index cb0bf4215745..e1d88762f659 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5666,13 +5666,13 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id
id)
if (!new)
return NULL;
- if (__skb_ext_exist(old, id)) {
+ if (__skb_ext_exist(new, id)) {
if (old != new)
skb->extensions = new;
goto set_active;
}
- newoff = old->chunks;
+ newoff = new->chunks;
} else {
newoff = SKB_EXT_CHUNKSIZEOF(*new);
--
2.19.2
