From: Jon Maloy <jon.ma...@ericsson.com>
Date: Mon, 19 Oct 2015 11:33:00 -0400
> The current code for message reassembly is erroneously assuming that
> the the first arriving fragment buffer always is linear, and then goes
> ahead resetting the fragment list of that buffer in anticipation of
> more arriving fragments.
>
> However, if the buffer already happens to be non-linear, we will
> inadvertently drop the already attached fragment list, and later
> on trig a BUG() in __pskb_pull_tail().
>
> We see this happen when running fragmented TIPC multicast across UDP,
> something made possible since
> commit d0f91938bede ("tipc: add ip/udp media type")
>
> We fix this by not resetting the fragment list when the buffer is non-
> linear, and by initiatlizing our private fragment list tail pointer to
> the tail of the existing fragment list.
>
> Fixes: commit d0f91938bede ("tipc: add ip/udp media type")
> Signed-off-by: Jon Maloy <jon.ma...@ericsson.com>
Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
