diff options
author | Jarek Poplawski <jarkao2@gmail.com> | 2009-04-30 08:41:19 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-04-30 08:41:19 -0400 |
commit | 7a67e56fd362d3edfde1f19170893508c3940d3a (patch) | |
tree | 9bbddde4ab62836ab6d488f98ca653d56d6cb142 /net/core | |
parent | 93af7aca44f0e82e67bda10a0fb73d383edcc8bd (diff) |
net: Fix oops when splicing skbs from a frag_list.
Lennert Buytenhek wrote:
> Since 4fb669948116d928ae44262ab7743732c574630d ("net: Optimize memory
> usage when splicing from sockets.") I'm seeing this oops (e.g. in
> 2.6.30-rc3) when splicing from a TCP socket to /dev/null on a driver
> (mv643xx_eth) that uses LRO in the skb mode (lro_receive_skb) rather
> than the frag mode:
My patch incorrectly assumed skb->sk was always valid, but for
"frag_listed" skbs we can only use skb->sk of their parent.
Reported-by: Lennert Buytenhek <buytenh@wantstofly.org>
Debugged-by: Lennert Buytenhek <buytenh@wantstofly.org>
Tested-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r-- | net/core/skbuff.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ce6356cd9f71..f091a5a845c1 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
@@ -1365,9 +1365,8 @@ static void sock_spd_release(struct splice_pipe_desc *spd, unsigned int i) | |||
1365 | 1365 | ||
1366 | static inline struct page *linear_to_page(struct page *page, unsigned int *len, | 1366 | static inline struct page *linear_to_page(struct page *page, unsigned int *len, |
1367 | unsigned int *offset, | 1367 | unsigned int *offset, |
1368 | struct sk_buff *skb) | 1368 | struct sk_buff *skb, struct sock *sk) |
1369 | { | 1369 | { |
1370 | struct sock *sk = skb->sk; | ||
1371 | struct page *p = sk->sk_sndmsg_page; | 1370 | struct page *p = sk->sk_sndmsg_page; |
1372 | unsigned int off; | 1371 | unsigned int off; |
1373 | 1372 | ||
@@ -1405,13 +1404,14 @@ new_page: | |||
1405 | */ | 1404 | */ |
1406 | static inline int spd_fill_page(struct splice_pipe_desc *spd, struct page *page, | 1405 | static inline int spd_fill_page(struct splice_pipe_desc *spd, struct page *page, |
1407 | unsigned int *len, unsigned int offset, | 1406 | unsigned int *len, unsigned int offset, |
1408 | struct sk_buff *skb, int linear) | 1407 | struct sk_buff *skb, int linear, |
1408 | struct sock *sk) | ||
1409 | { | 1409 | { |
1410 | if (unlikely(spd->nr_pages == PIPE_BUFFERS)) | 1410 | if (unlikely(spd->nr_pages == PIPE_BUFFERS)) |
1411 | return 1; | 1411 | return 1; |
1412 | 1412 | ||
1413 | if (linear) { | 1413 | if (linear) { |
1414 | page = linear_to_page(page, len, &offset, skb); | 1414 | page = linear_to_page(page, len, &offset, skb, sk); |
1415 | if (!page) | 1415 | if (!page) |
1416 | return 1; | 1416 | return 1; |
1417 | } else | 1417 | } else |
@@ -1442,7 +1442,8 @@ static inline void __segment_seek(struct page **page, unsigned int *poff, | |||
1442 | static inline int __splice_segment(struct page *page, unsigned int poff, | 1442 | static inline int __splice_segment(struct page *page, unsigned int poff, |
1443 | unsigned int plen, unsigned int *off, | 1443 | unsigned int plen, unsigned int *off, |
1444 | unsigned int *len, struct sk_buff *skb, | 1444 | unsigned int *len, struct sk_buff *skb, |
1445 | struct splice_pipe_desc *spd, int linear) | 1445 | struct splice_pipe_desc *spd, int linear, |
1446 | struct sock *sk) | ||
1446 | { | 1447 | { |
1447 | if (!*len) | 1448 | if (!*len) |
1448 | return 1; | 1449 | return 1; |
@@ -1465,7 +1466,7 @@ static inline int __splice_segment(struct page *page, unsigned int poff, | |||
1465 | /* the linear region may spread across several pages */ | 1466 | /* the linear region may spread across several pages */ |
1466 | flen = min_t(unsigned int, flen, PAGE_SIZE - poff); | 1467 | flen = min_t(unsigned int, flen, PAGE_SIZE - poff); |
1467 | 1468 | ||
1468 | if (spd_fill_page(spd, page, &flen, poff, skb, linear)) | 1469 | if (spd_fill_page(spd, page, &flen, poff, skb, linear, sk)) |
1469 | return 1; | 1470 | return 1; |
1470 | 1471 | ||
1471 | __segment_seek(&page, &poff, &plen, flen); | 1472 | __segment_seek(&page, &poff, &plen, flen); |
@@ -1481,8 +1482,8 @@ static inline int __splice_segment(struct page *page, unsigned int poff, | |||
1481 | * pipe is full or if we already spliced the requested length. | 1482 | * pipe is full or if we already spliced the requested length. |
1482 | */ | 1483 | */ |
1483 | static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, | 1484 | static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, |
1484 | unsigned int *len, | 1485 | unsigned int *len, struct splice_pipe_desc *spd, |
1485 | struct splice_pipe_desc *spd) | 1486 | struct sock *sk) |
1486 | { | 1487 | { |
1487 | int seg; | 1488 | int seg; |
1488 | 1489 | ||
@@ -1492,7 +1493,7 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, | |||
1492 | if (__splice_segment(virt_to_page(skb->data), | 1493 | if (__splice_segment(virt_to_page(skb->data), |
1493 | (unsigned long) skb->data & (PAGE_SIZE - 1), | 1494 | (unsigned long) skb->data & (PAGE_SIZE - 1), |
1494 | skb_headlen(skb), | 1495 | skb_headlen(skb), |
1495 | offset, len, skb, spd, 1)) | 1496 | offset, len, skb, spd, 1, sk)) |
1496 | return 1; | 1497 | return 1; |
1497 | 1498 | ||
1498 | /* | 1499 | /* |
@@ -1502,7 +1503,7 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, | |||
1502 | const skb_frag_t *f = &skb_shinfo(skb)->frags[seg]; | 1503 | const skb_frag_t *f = &skb_shinfo(skb)->frags[seg]; |
1503 | 1504 | ||
1504 | if (__splice_segment(f->page, f->page_offset, f->size, | 1505 | if (__splice_segment(f->page, f->page_offset, f->size, |
1505 | offset, len, skb, spd, 0)) | 1506 | offset, len, skb, spd, 0, sk)) |
1506 | return 1; | 1507 | return 1; |
1507 | } | 1508 | } |
1508 | 1509 | ||
@@ -1528,12 +1529,13 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, | |||
1528 | .ops = &sock_pipe_buf_ops, | 1529 | .ops = &sock_pipe_buf_ops, |
1529 | .spd_release = sock_spd_release, | 1530 | .spd_release = sock_spd_release, |
1530 | }; | 1531 | }; |
1532 | struct sock *sk = skb->sk; | ||
1531 | 1533 | ||
1532 | /* | 1534 | /* |
1533 | * __skb_splice_bits() only fails if the output has no room left, | 1535 | * __skb_splice_bits() only fails if the output has no room left, |
1534 | * so no point in going over the frag_list for the error case. | 1536 | * so no point in going over the frag_list for the error case. |
1535 | */ | 1537 | */ |
1536 | if (__skb_splice_bits(skb, &offset, &tlen, &spd)) | 1538 | if (__skb_splice_bits(skb, &offset, &tlen, &spd, sk)) |
1537 | goto done; | 1539 | goto done; |
1538 | else if (!tlen) | 1540 | else if (!tlen) |
1539 | goto done; | 1541 | goto done; |
@@ -1545,14 +1547,13 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, | |||
1545 | struct sk_buff *list = skb_shinfo(skb)->frag_list; | 1547 | struct sk_buff *list = skb_shinfo(skb)->frag_list; |
1546 | 1548 | ||
1547 | for (; list && tlen; list = list->next) { | 1549 | for (; list && tlen; list = list->next) { |
1548 | if (__skb_splice_bits(list, &offset, &tlen, &spd)) | 1550 | if (__skb_splice_bits(list, &offset, &tlen, &spd, sk)) |
1549 | break; | 1551 | break; |
1550 | } | 1552 | } |
1551 | } | 1553 | } |
1552 | 1554 | ||
1553 | done: | 1555 | done: |
1554 | if (spd.nr_pages) { | 1556 | if (spd.nr_pages) { |
1555 | struct sock *sk = skb->sk; | ||
1556 | int ret; | 1557 | int ret; |
1557 | 1558 | ||
1558 | /* | 1559 | /* |