diff options
| author | Octavian Purdila <opurdila@ixiacom.com> | 2008-06-27 20:27:21 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-06-27 20:27:21 -0400 |
| commit | db43a282d3ec92ea45109c5551fff3dcc5afef02 (patch) | |
| tree | 9104c9559f3bfbdb0868e04a46176989e65c2efa | |
| parent | 57413ebc4e0f1e471a3b4db4aff9a85c083d090e (diff) | |
tcp: fix for splice receive when used with software LRO
If an skb has nr_frags set to zero but its frag_list is not empty (as
it can happen if software LRO is enabled), and a previous
tcp_read_sock has consumed the linear part of the skb, then
__skb_splice_bits:
(a) incorrectly reports an error and
(b) forgets to update the offset to account for the linear part
Any of the two problems will cause the subsequent __skb_splice_bits
call (the one that handles the frag_list skbs) to either skip data,
or, if the unadjusted offset is greater then the size of the next skb
in the frag_list, make tcp_splice_read loop forever.
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/core/skbuff.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 1e556d312117..366621610e76 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -1292,12 +1292,14 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, | |||
| 1292 | { | 1292 | { |
| 1293 | unsigned int nr_pages = spd->nr_pages; | 1293 | unsigned int nr_pages = spd->nr_pages; |
| 1294 | unsigned int poff, plen, len, toff, tlen; | 1294 | unsigned int poff, plen, len, toff, tlen; |
| 1295 | int headlen, seg; | 1295 | int headlen, seg, error = 0; |
| 1296 | 1296 | ||
| 1297 | toff = *offset; | 1297 | toff = *offset; |
| 1298 | tlen = *total_len; | 1298 | tlen = *total_len; |
| 1299 | if (!tlen) | 1299 | if (!tlen) { |
| 1300 | error = 1; | ||
| 1300 | goto err; | 1301 | goto err; |
| 1302 | } | ||
| 1301 | 1303 | ||
| 1302 | /* | 1304 | /* |
| 1303 | * if the offset is greater than the linear part, go directly to | 1305 | * if the offset is greater than the linear part, go directly to |
| @@ -1339,7 +1341,8 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, | |||
| 1339 | * just jump directly to update and return, no point | 1341 | * just jump directly to update and return, no point |
| 1340 | * in going over fragments when the output is full. | 1342 | * in going over fragments when the output is full. |
| 1341 | */ | 1343 | */ |
| 1342 | if (spd_fill_page(spd, virt_to_page(p), plen, poff, skb)) | 1344 | error = spd_fill_page(spd, virt_to_page(p), plen, poff, skb); |
| 1345 | if (error) | ||
| 1343 | goto done; | 1346 | goto done; |
| 1344 | 1347 | ||
| 1345 | tlen -= plen; | 1348 | tlen -= plen; |
| @@ -1369,7 +1372,8 @@ map_frag: | |||
| 1369 | if (!plen) | 1372 | if (!plen) |
| 1370 | break; | 1373 | break; |
| 1371 | 1374 | ||
| 1372 | if (spd_fill_page(spd, f->page, plen, poff, skb)) | 1375 | error = spd_fill_page(spd, f->page, plen, poff, skb); |
| 1376 | if (error) | ||
| 1373 | break; | 1377 | break; |
| 1374 | 1378 | ||
| 1375 | tlen -= plen; | 1379 | tlen -= plen; |
| @@ -1382,7 +1386,10 @@ done: | |||
| 1382 | return 0; | 1386 | return 0; |
| 1383 | } | 1387 | } |
| 1384 | err: | 1388 | err: |
| 1385 | return 1; | 1389 | /* update the offset to reflect the linear part skip, if any */ |
| 1390 | if (!error) | ||
| 1391 | *offset = toff; | ||
| 1392 | return error; | ||
| 1386 | } | 1393 | } |
| 1387 | 1394 | ||
| 1388 | /* | 1395 | /* |