aboutsummaryrefslogtreecommitdiffstats
path: root/net/core
diff options
context:
space:
mode:
authorJarek Poplawski <jarkao2@gmail.com>2009-04-30 08:41:19 -0400
committerDavid S. Miller <davem@davemloft.net>2009-04-30 08:41:19 -0400
commit7a67e56fd362d3edfde1f19170893508c3940d3a (patch)
tree9bbddde4ab62836ab6d488f98ca653d56d6cb142 /net/core
parent93af7aca44f0e82e67bda10a0fb73d383edcc8bd (diff)
net: Fix oops when splicing skbs from a frag_list.
Lennert Buytenhek wrote: > Since 4fb669948116d928ae44262ab7743732c574630d ("net: Optimize memory > usage when splicing from sockets.") I'm seeing this oops (e.g. in > 2.6.30-rc3) when splicing from a TCP socket to /dev/null on a driver > (mv643xx_eth) that uses LRO in the skb mode (lro_receive_skb) rather > than the frag mode: My patch incorrectly assumed skb->sk was always valid, but for "frag_listed" skbs we can only use skb->sk of their parent. Reported-by: Lennert Buytenhek <buytenh@wantstofly.org> Debugged-by: Lennert Buytenhek <buytenh@wantstofly.org> Tested-by: Lennert Buytenhek <buytenh@wantstofly.org> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/skbuff.c27
1 files changed, 14 insertions, 13 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index ce6356cd9f71..f091a5a845c1 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1365,9 +1365,8 @@ static void sock_spd_release(struct splice_pipe_desc *spd, unsigned int i)
1365 1365
1366static inline struct page *linear_to_page(struct page *page, unsigned int *len, 1366static inline struct page *linear_to_page(struct page *page, unsigned int *len,
1367 unsigned int *offset, 1367 unsigned int *offset,
1368 struct sk_buff *skb) 1368 struct sk_buff *skb, struct sock *sk)
1369{ 1369{
1370 struct sock *sk = skb->sk;
1371 struct page *p = sk->sk_sndmsg_page; 1370 struct page *p = sk->sk_sndmsg_page;
1372 unsigned int off; 1371 unsigned int off;
1373 1372
@@ -1405,13 +1404,14 @@ new_page:
1405 */ 1404 */
1406static inline int spd_fill_page(struct splice_pipe_desc *spd, struct page *page, 1405static inline int spd_fill_page(struct splice_pipe_desc *spd, struct page *page,
1407 unsigned int *len, unsigned int offset, 1406 unsigned int *len, unsigned int offset,
1408 struct sk_buff *skb, int linear) 1407 struct sk_buff *skb, int linear,
1408 struct sock *sk)
1409{ 1409{
1410 if (unlikely(spd->nr_pages == PIPE_BUFFERS)) 1410 if (unlikely(spd->nr_pages == PIPE_BUFFERS))
1411 return 1; 1411 return 1;
1412 1412
1413 if (linear) { 1413 if (linear) {
1414 page = linear_to_page(page, len, &offset, skb); 1414 page = linear_to_page(page, len, &offset, skb, sk);
1415 if (!page) 1415 if (!page)
1416 return 1; 1416 return 1;
1417 } else 1417 } else
@@ -1442,7 +1442,8 @@ static inline void __segment_seek(struct page **page, unsigned int *poff,
1442static inline int __splice_segment(struct page *page, unsigned int poff, 1442static inline int __splice_segment(struct page *page, unsigned int poff,
1443 unsigned int plen, unsigned int *off, 1443 unsigned int plen, unsigned int *off,
1444 unsigned int *len, struct sk_buff *skb, 1444 unsigned int *len, struct sk_buff *skb,
1445 struct splice_pipe_desc *spd, int linear) 1445 struct splice_pipe_desc *spd, int linear,
1446 struct sock *sk)
1446{ 1447{
1447 if (!*len) 1448 if (!*len)
1448 return 1; 1449 return 1;
@@ -1465,7 +1466,7 @@ static inline int __splice_segment(struct page *page, unsigned int poff,
1465 /* the linear region may spread across several pages */ 1466 /* the linear region may spread across several pages */
1466 flen = min_t(unsigned int, flen, PAGE_SIZE - poff); 1467 flen = min_t(unsigned int, flen, PAGE_SIZE - poff);
1467 1468
1468 if (spd_fill_page(spd, page, &flen, poff, skb, linear)) 1469 if (spd_fill_page(spd, page, &flen, poff, skb, linear, sk))
1469 return 1; 1470 return 1;
1470 1471
1471 __segment_seek(&page, &poff, &plen, flen); 1472 __segment_seek(&page, &poff, &plen, flen);
@@ -1481,8 +1482,8 @@ static inline int __splice_segment(struct page *page, unsigned int poff,
1481 * pipe is full or if we already spliced the requested length. 1482 * pipe is full or if we already spliced the requested length.
1482 */ 1483 */
1483static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset, 1484static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset,
1484 unsigned int *len, 1485 unsigned int *len, struct splice_pipe_desc *spd,
1485 struct splice_pipe_desc *spd) 1486 struct sock *sk)
1486{ 1487{
1487 int seg; 1488 int seg;
1488 1489
@@ -1492,7 +1493,7 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset,
1492 if (__splice_segment(virt_to_page(skb->data), 1493 if (__splice_segment(virt_to_page(skb->data),
1493 (unsigned long) skb->data & (PAGE_SIZE - 1), 1494 (unsigned long) skb->data & (PAGE_SIZE - 1),
1494 skb_headlen(skb), 1495 skb_headlen(skb),
1495 offset, len, skb, spd, 1)) 1496 offset, len, skb, spd, 1, sk))
1496 return 1; 1497 return 1;
1497 1498
1498 /* 1499 /*
@@ -1502,7 +1503,7 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset,
1502 const skb_frag_t *f = &skb_shinfo(skb)->frags[seg]; 1503 const skb_frag_t *f = &skb_shinfo(skb)->frags[seg];
1503 1504
1504 if (__splice_segment(f->page, f->page_offset, f->size, 1505 if (__splice_segment(f->page, f->page_offset, f->size,
1505 offset, len, skb, spd, 0)) 1506 offset, len, skb, spd, 0, sk))
1506 return 1; 1507 return 1;
1507 } 1508 }
1508 1509
@@ -1528,12 +1529,13 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
1528 .ops = &sock_pipe_buf_ops, 1529 .ops = &sock_pipe_buf_ops,
1529 .spd_release = sock_spd_release, 1530 .spd_release = sock_spd_release,
1530 }; 1531 };
1532 struct sock *sk = skb->sk;
1531 1533
1532 /* 1534 /*
1533 * __skb_splice_bits() only fails if the output has no room left, 1535 * __skb_splice_bits() only fails if the output has no room left,
1534 * so no point in going over the frag_list for the error case. 1536 * so no point in going over the frag_list for the error case.
1535 */ 1537 */
1536 if (__skb_splice_bits(skb, &offset, &tlen, &spd)) 1538 if (__skb_splice_bits(skb, &offset, &tlen, &spd, sk))
1537 goto done; 1539 goto done;
1538 else if (!tlen) 1540 else if (!tlen)
1539 goto done; 1541 goto done;
@@ -1545,14 +1547,13 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
1545 struct sk_buff *list = skb_shinfo(skb)->frag_list; 1547 struct sk_buff *list = skb_shinfo(skb)->frag_list;
1546 1548
1547 for (; list && tlen; list = list->next) { 1549 for (; list && tlen; list = list->next) {
1548 if (__skb_splice_bits(list, &offset, &tlen, &spd)) 1550 if (__skb_splice_bits(list, &offset, &tlen, &spd, sk))
1549 break; 1551 break;
1550 } 1552 }
1551 } 1553 }
1552 1554
1553done: 1555done:
1554 if (spd.nr_pages) { 1556 if (spd.nr_pages) {
1555 struct sock *sk = skb->sk;
1556 int ret; 1557 int ret;
1557 1558
1558 /* 1559 /*