On Mon, Apr 24, 2017 at 1:02 PM, David Laight <David.Laight@xxxxxxxxxx> wrote: > ... > > Shouldn't skb_to_sgvec() be checking the number of fragments against > the size of the sg list? > The callers would then all need auditing to allow for failure. This has never been done before, since this is one of those operations that simply _shouldn't fail_ this late in the driver's path. There's an easy way to use a fixed size array of MAX_SKB_FRAGS+1, and then just not specify FRAGLIST as a device feature. Then the function succeeds every time, rather than dropping packets. Alternatively, if the array is being allocated dynamically (kmalloc), a call to skb_cow_data returns the number of fragments needed; since usually people using scattergather are going to be modifying the skb anyway, I believe this function should be being called anyway... It would be possible to do as you suggest, though, by using sg_is_last in skb_to_sgvec. In this case we'd need to change every call site of skb_to_sgvec to ensure the return value is being checked as well as making sure that the sglist is initialized with sg_init_table to ensure the last frag is properly marked. I wouldn't be opposed to this, though it is potentially error prone work. In any case, this patch here follows the pattern of the entire rest of the present-day kernel, so it ought to be merged as-is.