xen-netfront: use correct linear area after linearizing an skb
authorDavid Vrabel <david.vrabel@citrix.com>
Tue, 9 Dec 2014 18:43:28 +0000 (18:43 +0000)
committerDavid S. Miller <davem@davemloft.net>
Wed, 10 Dec 2014 02:41:00 +0000 (21:41 -0500)
Commit 97a6d1bb2b658ac85ed88205ccd1ab809899884d (xen-netfront: Fix
handling packets on compound pages with skb_linearize) attempted to
fix a problem where an skb that would have required too many slots
would be dropped causing TCP connections to stall.

However, it filled in the first slot using the original buffer and not
the new one and would use the wrong offset and grant access to the
wrong page.

Netback would notice the malformed request and stop all traffic on the
VIF, reporting:

    vif vif-3-0 vif3.0: txreq.offset: 85e, size: 4002, end: 6144
    vif vif-3-0 vif3.0: fatal error; disabling device

Reported-by: Anthony Wright <anthony@overnetdata.com>
Tested-by: Anthony Wright <anthony@overnetdata.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/xen-netfront.c

index ece8d1804d13606c71b8f39e90851cb8b82de8ac..eeed0ce620f3d8bcdad897cd188dfaacb924a03b 100644 (file)
@@ -627,6 +627,9 @@ static int xennet_start_xmit(struct sk_buff *skb, struct net_device *dev)
                                    slots, skb->len);
                if (skb_linearize(skb))
                        goto drop;
+               data = skb->data;
+               offset = offset_in_page(data);
+               len = skb_headlen(skb);
        }
 
        spin_lock_irqsave(&queue->tx_lock, flags);