On 05/17/2018 08:54 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <will...@google.com>
> 
> Device features may change during transmission. In particular with
> corking, a device may toggle scatter-gather in between allocating
> and writing to an skb.
> 
> Do not unconditionally assume that !NETIF_F_SG at write time implies
> that the same held at alloc time and thus the skb has sufficient
> tailroom.
> 
> This issue predates git history.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Eric Dumazet <eduma...@google.com>
> Signed-off-by: Willem de Bruijn <will...@google.com>
> ---
>  net/ipv4/ip_output.c  | 3 ++-
>  net/ipv6/ip6_output.c | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 83c73bab2c3d..c15204ec2eb0 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1045,7 +1045,8 @@ static int __ip_append_data(struct sock *sk,
>               if (copy > length)
>                       copy = length;
>  
> -             if (!(rt->dst.dev->features&NETIF_F_SG)) {
> +             if (!(rt->dst.dev->features&NETIF_F_SG) &&
> +                 skb_tailroom(skb) > copy) {

On second thought, maybe use >= for the test ?

>                       unsigned int off;
>  
>                       off = skb->len;
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index 2e891d2c30ef..7b6d1689087b 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1503,7 +1503,8 @@ static int __ip6_append_data(struct sock *sk,
>               if (copy > length)
>                       copy = length;
>  
> -             if (!(rt->dst.dev->features&NETIF_F_SG)) {
> +             if (!(rt->dst.dev->features&NETIF_F_SG) &&
> +                 skb_tailroom(skb) >= copy) {
>                       unsigned int off;
>  
>                       off = skb->len;
> 

Reply via email to