On Fri, Jun 06, 2014 at 05:09:28PM +0100, Ben Hutchings wrote:
> From: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
>
> commit 1fd819ecb90cc9b822cd84d3056ddba315d3340f upstream.
>
> skb_segment copies frags around, so we need
> to copy them carefully to avoid accessing
> user memory after reporting completion to userspace
> through a callback.
>
> skb_segment doesn't normally happen on datapath:
> TSO needs to be disabled - so disabling zero copy
> in this case does not look like a big deal.
>
> Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
> Acked-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> [bwh: Backported to 3.2. As skb_segment() only supports page-frags *or* a
> frag list, there is no need for the additional frag_skb pointer or the
> preparatory renaming.]
> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> ---
> This is what I used in Debian for 3.2, and I believe it applies to all
> stable branches up to 3.12 inclusive.
>
> For branches older than 3.6, this requires cherry-picking commit
> a353e0ce0fd4 ('skbuff: add an api to orphan frags'). To avoid breaking
> OOT builds of openvswitch, which will use skb_orphan_frags() if
> available, it is also necessary to cherry-pick commit dcc0fb782b3a
> ('skbuff: export skb_copy_ubufs').
>
> Ben.
>
Thanks Ben, I'll queue it for the 3.11 kernel.
Cheers,
--
Luís
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -2701,6 +2701,9 @@ struct sk_buff *skb_segment(struct sk_bu
> skb_put(nskb, hsize), hsize);
>
> while (pos < offset + len && i < nfrags) {
> + if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))
> + goto err;
> +
> *frag = skb_shinfo(skb)->frags[i];
> __skb_frag_ref(frag);
> size = skb_frag_size(frag);
>
> --
> Ben Hutchings
> You can't have everything. Where would you put it?
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html