diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2006-04-18 16:24:14 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-04-18 18:57:49 -0400 |
commit | ef5cb9738b488140eb6c3f32fffab08f39a4905e (patch) | |
tree | 803d92cada2f9062417d4b6038482689b0c86f84 | |
parent | 385910f2b275a636238f70844f1b6da9fda6f2da (diff) |
[TCP]: Fix truesize underflow
There is a problem with the TSO packet trimming code. The cause of
this lies in the tcp_fragment() function.
When we allocate a fragment for a completely non-linear packet the
truesize is calculated for a payload length of zero. This means that
truesize could in fact be less than the real payload length.
When that happens the TSO packet trimming can cause truesize to become
negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
which would trigger the warning.
I've copied the code DaveM used in tso_fragment which should work here.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/tcp_output.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index b871db6adc55..44df1db726a3 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c | |||
@@ -551,7 +551,9 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss | |||
551 | buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC); | 551 | buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC); |
552 | if (buff == NULL) | 552 | if (buff == NULL) |
553 | return -ENOMEM; /* We'll just try again later. */ | 553 | return -ENOMEM; /* We'll just try again later. */ |
554 | sk_charge_skb(sk, buff); | 554 | |
555 | buff->truesize = skb->len - len; | ||
556 | skb->truesize -= buff->truesize; | ||
555 | 557 | ||
556 | /* Correct the sequence numbers. */ | 558 | /* Correct the sequence numbers. */ |
557 | TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len; | 559 | TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len; |