diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-03-10 13:28:08 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-03-11 16:26:38 -0400 |
| commit | 1fd819ecb90cc9b822cd84d3056ddba315d3340f (patch) | |
| tree | a6ebab17f5c69d2c9ef08aa5fa1426201adfa7e7 /net | |
| parent | 1a4cedaf65491e66e1e55b8428c89209da729209 (diff) | |
skbuff: skb_segment: orphan frags before copying
skb_segment copies frags around, so we need
to copy them carefully to avoid accessing
user memory after reporting completion to userspace
through a callback.
skb_segment doesn't normally happen on datapath:
TSO needs to be disabled - so disabling zero copy
in this case does not look like a big deal.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/skbuff.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index dc4f7683ff52..869c7afe3b07 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -2854,6 +2854,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, | |||
| 2854 | skb_frag_t *frag = skb_shinfo(head_skb)->frags; | 2854 | skb_frag_t *frag = skb_shinfo(head_skb)->frags; |
| 2855 | unsigned int mss = skb_shinfo(head_skb)->gso_size; | 2855 | unsigned int mss = skb_shinfo(head_skb)->gso_size; |
| 2856 | unsigned int doffset = head_skb->data - skb_mac_header(head_skb); | 2856 | unsigned int doffset = head_skb->data - skb_mac_header(head_skb); |
| 2857 | struct sk_buff *frag_skb = head_skb; | ||
| 2857 | unsigned int offset = doffset; | 2858 | unsigned int offset = doffset; |
| 2858 | unsigned int tnl_hlen = skb_tnl_header_len(head_skb); | 2859 | unsigned int tnl_hlen = skb_tnl_header_len(head_skb); |
| 2859 | unsigned int headroom; | 2860 | unsigned int headroom; |
| @@ -2898,6 +2899,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, | |||
| 2898 | i = 0; | 2899 | i = 0; |
| 2899 | nfrags = skb_shinfo(list_skb)->nr_frags; | 2900 | nfrags = skb_shinfo(list_skb)->nr_frags; |
| 2900 | frag = skb_shinfo(list_skb)->frags; | 2901 | frag = skb_shinfo(list_skb)->frags; |
| 2902 | frag_skb = list_skb; | ||
| 2901 | pos += skb_headlen(list_skb); | 2903 | pos += skb_headlen(list_skb); |
| 2902 | 2904 | ||
| 2903 | while (pos < offset + len) { | 2905 | while (pos < offset + len) { |
| @@ -2985,6 +2987,7 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, | |||
| 2985 | i = 0; | 2987 | i = 0; |
| 2986 | nfrags = skb_shinfo(list_skb)->nr_frags; | 2988 | nfrags = skb_shinfo(list_skb)->nr_frags; |
| 2987 | frag = skb_shinfo(list_skb)->frags; | 2989 | frag = skb_shinfo(list_skb)->frags; |
| 2990 | frag_skb = list_skb; | ||
| 2988 | 2991 | ||
| 2989 | BUG_ON(!nfrags); | 2992 | BUG_ON(!nfrags); |
| 2990 | 2993 | ||
| @@ -2999,6 +3002,9 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, | |||
| 2999 | goto err; | 3002 | goto err; |
| 3000 | } | 3003 | } |
| 3001 | 3004 | ||
| 3005 | if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC))) | ||
| 3006 | goto err; | ||
| 3007 | |||
| 3002 | *nskb_frag = *frag; | 3008 | *nskb_frag = *frag; |
| 3003 | __skb_frag_ref(nskb_frag); | 3009 | __skb_frag_ref(nskb_frag); |
| 3004 | size = skb_frag_size(nskb_frag); | 3010 | size = skb_frag_size(nskb_frag); |