On 05/17/2018 08:54 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <will...@google.com>
>
> Device features may change during transmission. In particular with
> corking, a device may toggle scatter-gather in between allocating
> and writing to an skb.
>
> Do not unconditionally assume that !NETIF_F_SG at write time implies
> that the same held at alloc time and thus the skb has sufficient
> tailroom.
>
> This issue predates git history.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Eric Dumazet <eduma...@google.com>
> Signed-off-by: Willem de Bruijn <will...@google.com>
> ---
> net/ipv4/ip_output.c | 3 ++-
> net/ipv6/ip6_output.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 83c73bab2c3d..c15204ec2eb0 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1045,7 +1045,8 @@ static int __ip_append_data(struct sock *sk,
> if (copy > length)
> copy = length;
>
> - if (!(rt->dst.dev->features&NETIF_F_SG)) {
> + if (!(rt->dst.dev->features&NETIF_F_SG) &&
> + skb_tailroom(skb) > copy) {
On second thought, maybe use >= for the test ?
> unsigned int off;
>
> off = skb->len;
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index 2e891d2c30ef..7b6d1689087b 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1503,7 +1503,8 @@ static int __ip6_append_data(struct sock *sk,
> if (copy > length)
> copy = length;
>
> - if (!(rt->dst.dev->features&NETIF_F_SG)) {
> + if (!(rt->dst.dev->features&NETIF_F_SG) &&
> + skb_tailroom(skb) >= copy) {
> unsigned int off;
>
> off = skb->len;
>
