On Tue, Jul 23, 2019 at 11:56:41AM +0800, Yunsheng Lin wrote:
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 6f1e31f674a3..e32081709a0d 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -2975,11 +2975,15 @@ skb_zerocopy(struct sk_buff *to, struct sk_buff
> > *from, int len, int hlen)
> > skb_zerocopy_clone(to, from, GFP_ATOMIC);
> >
> > for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
> > + int size;
> > +
> > if (!len)
> > break;
> > skb_shinfo(to)->frags[j] = skb_shinfo(from)->frags[i];
> > - skb_shinfo(to)->frags[j].size = min_t(int,
> > skb_shinfo(to)->frags[j].size, len);
> > - len -= skb_shinfo(to)->frags[j].size;
> > + size = min_t(int, skb_frag_size(&skb_shinfo(to)->frags[j]),
> > + len);
>
> It seems skb_frag_size returns unsigned int here, maybe:
>
> unsigned int size;
>
> size = min_t(unsigned int, skb_frag_size(&skb_shinfo(to)->frags[j]),
>
> The original code also do not seem to using the correct min_t, but
> perhaps it is better to clean that up too?
A signed size also doesn't make sense to me, but I wasn't sufficiently
certain to make that change. Please feel free to send a followup patch
for people to consider.
