[NET]: Revert skb_copy_datagram_iovec() recursion elimination.
authorDavid S. Miller <davem@sunset.davemloft.net>
Tue, 14 Feb 2006 00:06:10 +0000 (16:06 -0800)
committerDavid S. Miller <davem@sunset.davemloft.net>
Tue, 14 Feb 2006 00:06:10 +0000 (16:06 -0800)
Revert the following changeset:

bc8dfcb93970ad7139c976356bfc99d7e251deaf

Recursive SKB frag lists are really possible and disallowing
them breaks things.

Noticed by: Jesse Brandeburg <jesse.brandeburg@intel.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/datagram.c

index f8d322e1ea9276c3f581fbda2393c829b6fd17f0..b8ce6bf81188943a1ac91f3b80b361d03ce3c955 100644 (file)
@@ -247,49 +247,74 @@ EXPORT_SYMBOL(skb_kill_datagram);
 int skb_copy_datagram_iovec(const struct sk_buff *skb, int offset,
                            struct iovec *to, int len)
 {
-       int i, err, fraglen, end = 0;
-       struct sk_buff *next = skb_shinfo(skb)->frag_list;
+       int start = skb_headlen(skb);
+       int i, copy = start - offset;
 
-       if (!len)
-               return 0;
+       /* Copy header. */
+       if (copy > 0) {
+               if (copy > len)
+                       copy = len;
+               if (memcpy_toiovec(to, skb->data + offset, copy))
+                       goto fault;
+               if ((len -= copy) == 0)
+                       return 0;
+               offset += copy;
+       }
 
-next_skb:
-       fraglen = skb_headlen(skb);
-       i = -1;
+       /* Copy paged appendix. Hmm... why does this look so complicated? */
+       for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
+               int end;
 
-       while (1) {
-               int start = end;
+               BUG_TRAP(start <= offset + len);
 
-               if ((end += fraglen) > offset) {
-                       int copy = end - offset, o = offset - start;
+               end = start + skb_shinfo(skb)->frags[i].size;
+               if ((copy = end - offset) > 0) {
+                       int err;
+                       u8  *vaddr;
+                       skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
+                       struct page *page = frag->page;
 
                        if (copy > len)
                                copy = len;
-                       if (i == -1)
-                               err = memcpy_toiovec(to, skb->data + o, copy);
-                       else {
-                               skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
-                               struct page *page = frag->page;
-                               void *p = kmap(page) + frag->page_offset + o;
-                               err = memcpy_toiovec(to, p, copy);
-                               kunmap(page);
-                       }
+                       vaddr = kmap(page);
+                       err = memcpy_toiovec(to, vaddr + frag->page_offset +
+                                            offset - start, copy);
+                       kunmap(page);
                        if (err)
                                goto fault;
                        if (!(len -= copy))
                                return 0;
                        offset += copy;
                }
-               if (++i >= skb_shinfo(skb)->nr_frags)
-                       break;
-               fraglen = skb_shinfo(skb)->frags[i].size;
+               start = end;
        }
-       if (next) {
-               skb = next;
-               BUG_ON(skb_shinfo(skb)->frag_list);
-               next = skb->next;
-               goto next_skb;
+
+       if (skb_shinfo(skb)->frag_list) {
+               struct sk_buff *list = skb_shinfo(skb)->frag_list;
+
+               for (; list; list = list->next) {
+                       int end;
+
+                       BUG_TRAP(start <= offset + len);
+
+                       end = start + list->len;
+                       if ((copy = end - offset) > 0) {
+                               if (copy > len)
+                                       copy = len;
+                               if (skb_copy_datagram_iovec(list,
+                                                           offset - start,
+                                                           to, copy))
+                                       goto fault;
+                               if ((len -= copy) == 0)
+                                       return 0;
+                               offset += copy;
+                       }
+                       start = end;
+               }
        }
+       if (!len)
+               return 0;
+
 fault:
        return -EFAULT;
 }