From: Li RongQing <lirongqing@xxxxxxxxx> commit db5c97f02373917efe2c218ebf8e3d8b19e343b6 upstream. first_len is the remainder of the first page we're copying. If this size is larger, then out of page boundary write will otherwise happen. Fixes: c05cd3645814 ("xsk: add support to allow unaligned chunk placement") Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Acked-by: Jonathan Lemon <jonathan.lemon@xxxxxxxxx> Acked-by: Björn Töpel <bjorn.topel@xxxxxxxxx> Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@xxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/xdp/xsk.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_ u64 page_start = addr & ~(PAGE_SIZE - 1); u64 first_len = PAGE_SIZE - (addr - page_start); - memcpy(to_buf, from_buf, first_len + metalen); - memcpy(next_pg_addr, from_buf + first_len, len - first_len); + memcpy(to_buf, from_buf, first_len); + memcpy(next_pg_addr, from_buf + first_len, + len + metalen - first_len); return; }