diff options
| author | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
| commit | 51c739d1f484b2562040a3e496dc8e1670d4e279 (patch) | |
| tree | 87b12c2330f2951deb1a435367907d15a5d938c3 /net/core | |
| parent | 07afa040252eb41f91f46f8e538b434a63122999 (diff) | |
[NET]: Fix incorrect sg_mark_end() calls.
This fixes scatterlist corruptions added by
commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256
[CRYPTO] users: Fix up scatterlist conversion errors
The issue is that the code calls sg_mark_end() which clobbers the
sg_page() pointer of the final scatterlist entry.
The first part fo the fix makes skb_to_sgvec() do __sg_mark_end().
After considering all skb_to_sgvec() call sites the most correct
solution is to call __sg_mark_end() in skb_to_sgvec() since that is
what all of the callers would end up doing anyways.
I suspect this might have fixed some problems in virtio_net which is
the sole non-crypto user of skb_to_sgvec().
Other similar sg_mark_end() cases were converted over to
__sg_mark_end() as well.
Arguably sg_mark_end() is a poorly named function because it doesn't
just "mark", it clears out the page pointer as a side effect, which is
what led to these bugs in the first place.
The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable()
and arguably it could be converted to __sg_mark_end() if only so that
we can delete this confusing interface from linux/scatterlist.h
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
| -rw-r--r-- | net/core/skbuff.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 573e17240197..64b50ff7a413 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -2028,8 +2028,8 @@ void __init skb_init(void) | |||
| 2028 | * Fill the specified scatter-gather list with mappings/pointers into a | 2028 | * Fill the specified scatter-gather list with mappings/pointers into a |
| 2029 | * region of the buffer space attached to a socket buffer. | 2029 | * region of the buffer space attached to a socket buffer. |
| 2030 | */ | 2030 | */ |
| 2031 | int | 2031 | static int |
| 2032 | skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) | 2032 | __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) |
| 2033 | { | 2033 | { |
| 2034 | int start = skb_headlen(skb); | 2034 | int start = skb_headlen(skb); |
| 2035 | int i, copy = start - offset; | 2035 | int i, copy = start - offset; |
| @@ -2078,7 +2078,8 @@ skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) | |||
| 2078 | if ((copy = end - offset) > 0) { | 2078 | if ((copy = end - offset) > 0) { |
| 2079 | if (copy > len) | 2079 | if (copy > len) |
| 2080 | copy = len; | 2080 | copy = len; |
| 2081 | elt += skb_to_sgvec(list, sg+elt, offset - start, copy); | 2081 | elt += __skb_to_sgvec(list, sg+elt, offset - start, |
| 2082 | copy); | ||
| 2082 | if ((len -= copy) == 0) | 2083 | if ((len -= copy) == 0) |
| 2083 | return elt; | 2084 | return elt; |
| 2084 | offset += copy; | 2085 | offset += copy; |
| @@ -2090,6 +2091,15 @@ skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) | |||
| 2090 | return elt; | 2091 | return elt; |
| 2091 | } | 2092 | } |
| 2092 | 2093 | ||
| 2094 | int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) | ||
| 2095 | { | ||
| 2096 | int nsg = __skb_to_sgvec(skb, sg, offset, len); | ||
| 2097 | |||
| 2098 | __sg_mark_end(&sg[nsg - 1]); | ||
| 2099 | |||
| 2100 | return nsg; | ||
| 2101 | } | ||
| 2102 | |||
| 2093 | /** | 2103 | /** |
| 2094 | * skb_cow_data - Check that a socket buffer's data buffers are writable | 2104 | * skb_cow_data - Check that a socket buffer's data buffers are writable |
| 2095 | * @skb: The socket buffer to check. | 2105 | * @skb: The socket buffer to check. |