From: Duan Jiong Date: Thu, 23 Jan 2014 06:00:25 +0000 (+0800) Subject: ip_tunnel: clear IPCB in ip_tunnel_xmit() in case dst_link_failure() is called X-Git-Tag: v3.10.29~23 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b5ac52437d8e34ea8032cfa77d6e6aa4b161aeb5;p=platform%2Fkernel%2Flinux-stable.git ip_tunnel: clear IPCB in ip_tunnel_xmit() in case dst_link_failure() is called [ Upstream commit 11c21a307d79ea5f6b6fc0d3dfdeda271e5e65f6 ] commit a622260254ee48("ip_tunnel: fix kernel panic with icmp_dest_unreach") clear IPCB in ip_tunnel_xmit() , or else skb->cb[] may contain garbage from GSO segmentation layer. But commit 0e6fbc5b6c621("ip_tunnels: extend iptunnel_xmit()") refactor codes, and it clear IPCB behind the dst_link_failure(). So clear IPCB in ip_tunnel_xmit() just like commti a622260254ee48("ip_tunnel: fix kernel panic with icmp_dest_unreach"). Signed-off-by: Duan Jiong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 46dcf32..fa65732 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -636,6 +636,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, tunnel->err_time + IPTUNNEL_ERR_TIMEO)) { tunnel->err_count--; + memset(IPCB(skb), 0, sizeof(*IPCB(skb))); dst_link_failure(skb); } else tunnel->err_count = 0;