diff options
| author | David S. Miller <davem@sunset.davemloft.net> | 2007-10-30 21:29:29 -0700 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-30 21:29:29 -0700 |
| commit | 51c739d1f484b2562040a3e496dc8e1670d4e279 (patch) | |
| tree | 87b12c2330f2951deb1a435367907d15a5d938c3 /net/ipv6 | |
| parent | 07afa040252eb41f91f46f8e538b434a63122999 (diff) | |
| download | linux-51c739d1f484b2562040a3e496dc8e1670d4e279.tar.gz | |
[NET]: Fix incorrect sg_mark_end() calls.
This fixes scatterlist corruptions added by commit 68e3f5dd4db62619fdbe520d36c9ebf62e672256 [CRYPTO] users: Fix up scatterlist conversion errors The issue is that the code calls sg_mark_end() which clobbers the sg_page() pointer of the final scatterlist entry. The first part fo the fix makes skb_to_sgvec() do __sg_mark_end(). After considering all skb_to_sgvec() call sites the most correct solution is to call __sg_mark_end() in skb_to_sgvec() since that is what all of the callers would end up doing anyways. I suspect this might have fixed some problems in virtio_net which is the sole non-crypto user of skb_to_sgvec(). Other similar sg_mark_end() cases were converted over to __sg_mark_end() as well. Arguably sg_mark_end() is a poorly named function because it doesn't just "mark", it clears out the page pointer as a side effect, which is what led to these bugs in the first place. The one remaining plain sg_mark_end() call is in scsi_alloc_sgtable() and arguably it could be converted to __sg_mark_end() if only so that we can delete this confusing interface from linux/scatterlist.h Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/esp6.c | 13 | ||||
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 2 |
2 files changed, 8 insertions, 7 deletions
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index ab17b5e62355..7db66f10e00d 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -110,9 +110,10 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) goto unlock; } sg_init_table(sg, nfrags); - sg_mark_end(sg, skb_to_sgvec(skb, sg, esph->enc_data + - esp->conf.ivlen - - skb->data, clen)); + skb_to_sgvec(skb, sg, + esph->enc_data + + esp->conf.ivlen - + skb->data, clen); err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); if (unlikely(sg != &esp->sgbuf[0])) kfree(sg); @@ -209,9 +210,9 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) } } sg_init_table(sg, nfrags); - sg_mark_end(sg, skb_to_sgvec(skb, sg, - sizeof(*esph) + esp->conf.ivlen, - elen)); + skb_to_sgvec(skb, sg, + sizeof(*esph) + esp->conf.ivlen, + elen); ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen); if (unlikely(sg != &esp->sgbuf[0])) kfree(sg); diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index f1523b82cac1..4b9032880959 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -781,7 +781,7 @@ static int tcp_v6_do_calc_md5_hash(char *md5_hash, struct tcp_md5sig_key *key, sg_set_buf(&sg[block++], key->key, key->keylen); nbytes += key->keylen; - sg_mark_end(sg, block); + __sg_mark_end(&sg[block - 1]); /* Now store the hash into the packet */ err = crypto_hash_init(desc); |