Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b4d9eda0 authored by David S. Miller's avatar David S. Miller
Browse files

[NET]: Revert skb_copy_datagram_iovec() recursion elimination. 



Revert the following changeset:

bc8dfcb9

Recursive SKB frag lists are really possible and disallowing
them breaks things.

Noticed by: Jesse Brandeburg <jesse.brandeburg@intel.com>

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 00de651d

net/core/datagram.c

+53 −28
Original line number Diff line number Diff line
@@ -247,49 +247,74 @@ EXPORT_SYMBOL(skb_kill_datagram); 
int skb_copy_datagram_iovec(const struct sk_buff *skb, int offset,

			    struct iovec *to, int len)

{

	int i, err, fraglen, end = 0;

	struct sk_buff *next = skb_shinfo(skb)->frag_list;

	int start = skb_headlen(skb);

	int i, copy = start - offset;



	if (!len)

	/* Copy header. */

	if (copy > 0) {

		if (copy > len)

			copy = len;

		if (memcpy_toiovec(to, skb->data + offset, copy))

			goto fault;

		if ((len -= copy) == 0)

			return 0;

		offset += copy;

	}



next_skb:

	fraglen = skb_headlen(skb);

	i = -1;

	/* Copy paged appendix. Hmm... why does this look so complicated? */

	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {

		int end;



	while (1) {

		int start = end;

		BUG_TRAP(start <= offset + len);



		if ((end += fraglen) > offset) {

			int copy = end - offset, o = offset - start;

		end = start + skb_shinfo(skb)->frags[i].size;

		if ((copy = end - offset) > 0) {

			int err;

			u8  *vaddr;

			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];

			struct page *page = frag->page;



			if (copy > len)

				copy = len;

			if (i == -1)

				err = memcpy_toiovec(to, skb->data + o, copy);

			else {

				skb_frag_t *frag = &skb_shinfo(skb)->frags[i];

				struct page *page = frag->page;

				void *p = kmap(page) + frag->page_offset + o;

				err = memcpy_toiovec(to, p, copy);

			vaddr = kmap(page);

			err = memcpy_toiovec(to, vaddr + frag->page_offset +

					     offset - start, copy);

			kunmap(page);

			}

			if (err)

				goto fault;

			if (!(len -= copy))

				return 0;

			offset += copy;

		}

		if (++i >= skb_shinfo(skb)->nr_frags)

			break;

		fraglen = skb_shinfo(skb)->frags[i].size;

		start = end;

	}



	if (skb_shinfo(skb)->frag_list) {

		struct sk_buff *list = skb_shinfo(skb)->frag_list;



		for (; list; list = list->next) {

			int end;



			BUG_TRAP(start <= offset + len);



			end = start + list->len;

			if ((copy = end - offset) > 0) {

				if (copy > len)

					copy = len;

				if (skb_copy_datagram_iovec(list,

							    offset - start,

							    to, copy))

					goto fault;

				if ((len -= copy) == 0)

					return 0;

				offset += copy;

			}

			start = end;

		}

	if (next) {

		skb = next;

		BUG_ON(skb_shinfo(skb)->frag_list);

		next = skb->next;

		goto next_skb;

	}

	if (!len)

		return 0;



fault:

	return -EFAULT;

}