diff options
| author | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-31 00:29:29 -0400 |
| commit | 51c739d1f484b2562040a3e496dc8e1670d4e279 (patch) | |
| tree | 87b12c2330f2951deb1a435367907d15a5d938c3 /net/rxrpc | |
| parent | 07afa040252eb41f91f46f8e538b434a63122999 (diff) | |
[NET]: Fix incorrect sg_mark_end() calls.
This fixes scatterlist corruptions added by
commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256
[CRYPTO] users: Fix up scatterlist conversion errors
The issue is that the code calls sg_mark_end() which clobbers the
sg_page() pointer of the final scatterlist entry.
The first part fo the fix makes skb_to_sgvec() do __sg_mark_end().
After considering all skb_to_sgvec() call sites the most correct
solution is to call __sg_mark_end() in skb_to_sgvec() since that is
what all of the callers would end up doing anyways.
I suspect this might have fixed some problems in virtio_net which is
the sole non-crypto user of skb_to_sgvec().
Other similar sg_mark_end() cases were converted over to
__sg_mark_end() as well.
Arguably sg_mark_end() is a poorly named function because it doesn't
just "mark", it clears out the page pointer as a side effect, which is
what led to these bugs in the first place.
The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable()
and arguably it could be converted to __sg_mark_end() if only so that
we can delete this confusing interface from linux/scatterlist.h
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rxrpc')
| -rw-r--r-- | net/rxrpc/rxkad.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c index eebefb6ef139..c387cf68a08c 100644 --- a/net/rxrpc/rxkad.c +++ b/net/rxrpc/rxkad.c | |||
| @@ -237,7 +237,8 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call, | |||
| 237 | len = data_size + call->conn->size_align - 1; | 237 | len = data_size + call->conn->size_align - 1; |
| 238 | len &= ~(call->conn->size_align - 1); | 238 | len &= ~(call->conn->size_align - 1); |
| 239 | 239 | ||
| 240 | sg_init_table(sg, skb_to_sgvec(skb, sg, 0, len)); | 240 | sg_init_table(sg, nsg); |
| 241 | skb_to_sgvec(skb, sg, 0, len); | ||
| 241 | crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); | 242 | crypto_blkcipher_encrypt_iv(&desc, sg, sg, len); |
| 242 | 243 | ||
| 243 | _leave(" = 0"); | 244 | _leave(" = 0"); |
| @@ -344,7 +345,7 @@ static int rxkad_verify_packet_auth(const struct rxrpc_call *call, | |||
| 344 | goto nomem; | 345 | goto nomem; |
| 345 | 346 | ||
| 346 | sg_init_table(sg, nsg); | 347 | sg_init_table(sg, nsg); |
| 347 | sg_mark_end(sg, skb_to_sgvec(skb, sg, 0, 8)); | 348 | skb_to_sgvec(skb, sg, 0, 8); |
| 348 | 349 | ||
| 349 | /* start the decryption afresh */ | 350 | /* start the decryption afresh */ |
| 350 | memset(&iv, 0, sizeof(iv)); | 351 | memset(&iv, 0, sizeof(iv)); |
| @@ -426,7 +427,7 @@ static int rxkad_verify_packet_encrypt(const struct rxrpc_call *call, | |||
| 426 | } | 427 | } |
| 427 | 428 | ||
| 428 | sg_init_table(sg, nsg); | 429 | sg_init_table(sg, nsg); |
| 429 | sg_mark_end(sg, skb_to_sgvec(skb, sg, 0, skb->len)); | 430 | skb_to_sgvec(skb, sg, 0, skb->len); |
| 430 | 431 | ||
| 431 | /* decrypt from the session key */ | 432 | /* decrypt from the session key */ |
| 432 | payload = call->conn->key->payload.data; | 433 | payload = call->conn->key->payload.data; |
| @@ -701,7 +702,7 @@ static void rxkad_sg_set_buf2(struct scatterlist sg[2], | |||
| 701 | nsg++; | 702 | nsg++; |
| 702 | } | 703 | } |
| 703 | 704 | ||
| 704 | sg_mark_end(sg, nsg); | 705 | __sg_mark_end(&sg[nsg - 1]); |
| 705 | 706 | ||
| 706 | ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); | 707 | ASSERTCMP(sg[0].length + sg[1].length, ==, buflen); |
| 707 | } | 708 | } |