Commit 61d46bf9 authored Jul 10, 2013 by Jason Wang Committed by David S. Miller Jul 10, 2013

macvtap: correctly linearize skb when zerocopy is used



Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
linearize parts of the skb to let the rest of iov to be fit in
the frags, we need count copylen into linear when calling macvtap_alloc_skb()
instead of partly counting it into data_len. Since this breaks
zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
be zero at beginning. This cause nr_frags to be increased wrongly without
setting the correct frags.

This bug were introduced from b92946e2
(macvtap: zerocopy: validate vectors before building skb).

Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 3dd5c330

drivers/net/macvtap.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -712,6 +712,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue q, struct msghdr m,
		int vnet_hdr_len = 0;
		int copylen = 0;
		bool zerocopy = false;
		size_t linear;

		if (q->flags & IFF_VNET_HDR) {
		vnet_hdr_len = q->vnet_hdr_sz;
		@@ -766,11 +767,14 @@ static ssize_t macvtap_get_user(struct macvtap_queue q, struct msghdr m,
		copylen = vnet_hdr.hdr_len;
		if (!copylen)
		copylen = GOODCOPY_LEN;
		} else
		linear = copylen;
		} else {
		copylen = len;
		linear = vnet_hdr.hdr_len;
		}

		skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
		vnet_hdr.hdr_len, noblock, &err);
		linear, noblock, &err);
		if (!skb)
		goto err;

Admin message