diff options
author | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
commit | 51c739d1f484b2562040a3e496dc8e1670d4e279 (patch) | |
tree | 87b12c2330f2951deb1a435367907d15a5d938c3 /net/ipv4/esp4.c | |
parent | 07afa040252eb41f91f46f8e538b434a63122999 (diff) |
[NET]: Fix incorrect sg_mark_end() calls.
This fixes scatterlist corruptions added by
commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256
[CRYPTO] users: Fix up scatterlist conversion errors
The issue is that the code calls sg_mark_end() which clobbers the
sg_page() pointer of the final scatterlist entry.
The first part fo the fix makes skb_to_sgvec() do __sg_mark_end().
After considering all skb_to_sgvec() call sites the most correct
solution is to call __sg_mark_end() in skb_to_sgvec() since that is
what all of the callers would end up doing anyways.
I suspect this might have fixed some problems in virtio_net which is
the sole non-crypto user of skb_to_sgvec().
Other similar sg_mark_end() cases were converted over to
__sg_mark_end() as well.
Arguably sg_mark_end() is a poorly named function because it doesn't
just "mark", it clears out the page pointer as a side effect, which is
what led to these bugs in the first place.
The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable()
and arguably it could be converted to __sg_mark_end() if only so that
we can delete this confusing interface from linux/scatterlist.h
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/esp4.c')
-rw-r--r-- | net/ipv4/esp4.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index cad4278025ad..c31bccb9b526 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
@@ -111,9 +111,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
111 | goto unlock; | 111 | goto unlock; |
112 | } | 112 | } |
113 | sg_init_table(sg, nfrags); | 113 | sg_init_table(sg, nfrags); |
114 | sg_mark_end(sg, skb_to_sgvec(skb, sg, esph->enc_data + | 114 | skb_to_sgvec(skb, sg, |
115 | esp->conf.ivlen - | 115 | esph->enc_data + |
116 | skb->data, clen)); | 116 | esp->conf.ivlen - |
117 | skb->data, clen); | ||
117 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); | 118 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); |
118 | if (unlikely(sg != &esp->sgbuf[0])) | 119 | if (unlikely(sg != &esp->sgbuf[0])) |
119 | kfree(sg); | 120 | kfree(sg); |
@@ -205,8 +206,9 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) | |||
205 | goto out; | 206 | goto out; |
206 | } | 207 | } |
207 | sg_init_table(sg, nfrags); | 208 | sg_init_table(sg, nfrags); |
208 | sg_mark_end(sg, skb_to_sgvec(skb, sg, sizeof(*esph) + esp->conf.ivlen, | 209 | skb_to_sgvec(skb, sg, |
209 | elen)); | 210 | sizeof(*esph) + esp->conf.ivlen, |
211 | elen); | ||
210 | err = crypto_blkcipher_decrypt(&desc, sg, sg, elen); | 212 | err = crypto_blkcipher_decrypt(&desc, sg, sg, elen); |
211 | if (unlikely(sg != &esp->sgbuf[0])) | 213 | if (unlikely(sg != &esp->sgbuf[0])) |
212 | kfree(sg); | 214 | kfree(sg); |