aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2006-04-18 16:24:14 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-04-18 18:57:49 -0400
commitef5cb9738b488140eb6c3f32fffab08f39a4905e (patch)
tree803d92cada2f9062417d4b6038482689b0c86f84
parent385910f2b275a636238f70844f1b6da9fda6f2da (diff)
[TCP]: Fix truesize underflow
There is a problem with the TSO packet trimming code. The cause of this lies in the tcp_fragment() function. When we allocate a fragment for a completely non-linear packet the truesize is calculated for a payload length of zero. This means that truesize could in fact be less than the real payload length. When that happens the TSO packet trimming can cause truesize to become negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE which would trigger the warning. I've copied the code DaveM used in tso_fragment which should work here. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/tcp_output.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index b871db6adc55..44df1db726a3 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -551,7 +551,9 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
551 buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC); 551 buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC);
552 if (buff == NULL) 552 if (buff == NULL)
553 return -ENOMEM; /* We'll just try again later. */ 553 return -ENOMEM; /* We'll just try again later. */
554 sk_charge_skb(sk, buff); 554
555 buff->truesize = skb->len - len;
556 skb->truesize -= buff->truesize;
555 557
556 /* Correct the sequence numbers. */ 558 /* Correct the sequence numbers. */
557 TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len; 559 TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len;