| Message ID | 20180517171329.201710-1-willemdebruijn.kernel@gmail.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net,v2] net: test tailroom before appending to linear skb | expand |
On 05/17/2018 10:13 AM, Willem de Bruijn wrote: > From: Willem de Bruijn <willemb@google.com> > > Device features may change during transmission. In particular with > corking, a device may toggle scatter-gather in between allocating > and writing to an skb. > > Do not unconditionally assume that !NETIF_F_SG at write time implies > that the same held at alloc time and thus the skb has sufficient > tailroom. > > This issue predates git history. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-by: Eric Dumazet <edumazet@google.com> > Signed-off-by: Willem de Bruijn <willemb@google.com> > Reviewed-by: Eric Dumazet <edumazet@google.com>
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> Date: Thu, 17 May 2018 13:13:29 -0400 > From: Willem de Bruijn <willemb@google.com> > > Device features may change during transmission. In particular with > corking, a device may toggle scatter-gather in between allocating > and writing to an skb. > > Do not unconditionally assume that !NETIF_F_SG at write time implies > that the same held at alloc time and thus the skb has sufficient > tailroom. > > This issue predates git history. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-by: Eric Dumazet <edumazet@google.com> > Signed-off-by: Willem de Bruijn <willemb@google.com> > > --- > > v2: fix ipv4 boundary condition Applied and queued up for -stable, thanks Willem.
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 83c73bab2c3d..d54abc097800 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1045,7 +1045,8 @@ static int __ip_append_data(struct sock *sk, if (copy > length) copy = length; - if (!(rt->dst.dev->features&NETIF_F_SG)) { + if (!(rt->dst.dev->features&NETIF_F_SG) && + skb_tailroom(skb) >= copy) { unsigned int off; off = skb->len; diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 2e891d2c30ef..7b6d1689087b 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1503,7 +1503,8 @@ static int __ip6_append_data(struct sock *sk, if (copy > length) copy = length; - if (!(rt->dst.dev->features&NETIF_F_SG)) { + if (!(rt->dst.dev->features&NETIF_F_SG) && + skb_tailroom(skb) >= copy) { unsigned int off; off = skb->len;