diff options
| author | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
| commit | 51c739d1f484b2562040a3e496dc8e1670d4e279 (patch) | |
| tree | 87b12c2330f2951deb1a435367907d15a5d938c3 /net/ipv6 | |
| parent | 07afa040252eb41f91f46f8e538b434a63122999 (diff) | |
[NET]: Fix incorrect sg_mark_end() calls.
This fixes scatterlist corruptions added by
commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256
[CRYPTO] users: Fix up scatterlist conversion errors
The issue is that the code calls sg_mark_end() which clobbers the
sg_page() pointer of the final scatterlist entry.
The first part fo the fix makes skb_to_sgvec() do __sg_mark_end().
After considering all skb_to_sgvec() call sites the most correct
solution is to call __sg_mark_end() in skb_to_sgvec() since that is
what all of the callers would end up doing anyways.
I suspect this might have fixed some problems in virtio_net which is
the sole non-crypto user of skb_to_sgvec().
Other similar sg_mark_end() cases were converted over to
__sg_mark_end() as well.
Arguably sg_mark_end() is a poorly named function because it doesn't
just "mark", it clears out the page pointer as a side effect, which is
what led to these bugs in the first place.
The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable()
and arguably it could be converted to __sg_mark_end() if only so that
we can delete this confusing interface from linux/scatterlist.h
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/esp6.c | 13 | ||||
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 2 |
2 files changed, 8 insertions, 7 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index ab17b5e62355..7db66f10e00d 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
| @@ -110,9 +110,10 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 110 | goto unlock; | 110 | goto unlock; |
| 111 | } | 111 | } |
| 112 | sg_init_table(sg, nfrags); | 112 | sg_init_table(sg, nfrags); |
| 113 | sg_mark_end(sg, skb_to_sgvec(skb, sg, esph->enc_data + | 113 | skb_to_sgvec(skb, sg, |
| 114 | esp->conf.ivlen - | 114 | esph->enc_data + |
| 115 | skb->data, clen)); | 115 | esp->conf.ivlen - |
| 116 | skb->data, clen); | ||
| 116 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); | 117 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); |
| 117 | if (unlikely(sg != &esp->sgbuf[0])) | 118 | if (unlikely(sg != &esp->sgbuf[0])) |
| 118 | kfree(sg); | 119 | kfree(sg); |
| @@ -209,9 +210,9 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 209 | } | 210 | } |
| 210 | } | 211 | } |
| 211 | sg_init_table(sg, nfrags); | 212 | sg_init_table(sg, nfrags); |
| 212 | sg_mark_end(sg, skb_to_sgvec(skb, sg, | 213 | skb_to_sgvec(skb, sg, |
| 213 | sizeof(*esph) + esp->conf.ivlen, | 214 | sizeof(*esph) + esp->conf.ivlen, |
| 214 | elen)); | 215 | elen); |
| 215 | ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen); | 216 | ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen); |
| 216 | if (unlikely(sg != &esp->sgbuf[0])) | 217 | if (unlikely(sg != &esp->sgbuf[0])) |
| 217 | kfree(sg); | 218 | kfree(sg); |
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f1523b82cac1..4b9032880959 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -781,7 +781,7 @@ static int tcp_v6_do_calc_md5_hash(char *md5_hash, struct tcp_md5sig_key *key, | |||
| 781 | sg_set_buf(&sg[block++], key->key, key->keylen); | 781 | sg_set_buf(&sg[block++], key->key, key->keylen); |
| 782 | nbytes += key->keylen; | 782 | nbytes += key->keylen; |
| 783 | 783 | ||
| 784 | sg_mark_end(sg, block); | 784 | __sg_mark_end(&sg[block - 1]); |
| 785 | 785 | ||
| 786 | /* Now store the hash into the packet */ | 786 | /* Now store the hash into the packet */ |
| 787 | err = crypto_hash_init(desc); | 787 | err = crypto_hash_init(desc); |