From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
Herbert Xu <herbert@gondor.apana.org.au>,
David Miller <davem@davemloft.net>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 04/22] : Fix truesize underflow
Date: Thu, 20 Apr 2006 21:37:51 -0700 [thread overview]
Message-ID: <20060421043751.GE12846@kroah.com> (raw)
In-Reply-To: <20060421043706.GA12846@kroah.com>
[-- Attachment #1: fix-bug.patch --]
[-- Type: text/plain, Size: 1357 bytes --]
From: Herbert Xu <herbert@gondor.apana.org.au>
[TCP]: Fix truesize underflow
There is a problem with the TSO packet trimming code. The cause of
this lies in the tcp_fragment() function.
When we allocate a fragment for a completely non-linear packet the
truesize is calculated for a payload length of zero. This means that
truesize could in fact be less than the real payload length.
When that happens the TSO packet trimming can cause truesize to become
negative. This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
which would trigger the warning.
I've copied the code DaveM used in tso_fragment which should work here.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/tcp_output.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- linux-2.6.16.9.orig/net/ipv4/tcp_output.c
+++ linux-2.6.16.9/net/ipv4/tcp_output.c
@@ -537,7 +537,9 @@ int tcp_fragment(struct sock *sk, struct
buff = sk_stream_alloc_skb(sk, nsize, GFP_ATOMIC);
if (buff == NULL)
return -ENOMEM; /* We'll just try again later. */
- sk_charge_skb(sk, buff);
+
+ buff->truesize = skb->len - len;
+ skb->truesize -= buff->truesize;
/* Correct the sequence numbers. */
TCP_SKB_CB(buff)->seq = TCP_SKB_CB(skb)->seq + len;
--
next prev parent reply other threads:[~2006-04-21 4:46 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060421043353.602539000@blue.kroah.org>
2006-04-21 4:37 ` [patch 00/22] 2.6.16-stable review cycle Greg KH
2006-04-21 4:37 ` [patch 01/22] 3ware: kmap_atomic() fix Greg KH
2006-04-21 4:37 ` [patch 02/22] 3ware 9000 disable local irqs during kmap_atomic Greg KH
2006-04-21 4:37 ` [patch 03/22] efficeon-agp: Add missing memory mask Greg KH
2006-04-21 4:37 ` Greg KH [this message]
2006-04-21 4:37 ` [patch 05/22] : Fix hotplug race during device registration Greg KH
2006-04-21 4:38 ` [patch 06/22] i2c-i801: Fix resume when PEC is used Greg KH
2006-04-21 4:38 ` [patch 07/22] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristates Greg KH
2006-04-21 4:38 ` [patch 08/22] PPC: fix oops in alsa powermac driver Greg KH
2006-04-21 4:38 ` [patch 09/22] selinux: Fix MLS compatibility off-by-one bug Greg KH
2006-04-21 4:38 ` [patch 10/22] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff Greg KH
2006-04-21 4:39 ` [patch 11/22] IPV6: XFRM: Dont use old copy of pointer after pskb_may_pull() Greg KH
2006-04-21 4:39 ` [patch 12/22] IPV6: XFRM: Fix decoding session with preceding extension header(s) Greg KH
2006-04-21 4:39 ` [patch 13/22] x86: dont allow tail-calls in sys_ftruncate() Greg KH
2006-04-21 4:39 ` [patch 18/22] Fix file lookup without ref Greg KH
2006-04-21 4:39 ` [patch 17/22] IPC: access to unmapped vmalloc area in grow_ary() Greg KH
2006-04-21 4:39 ` [patch 16/22] m41t00: fix bitmasks when writing to chip Greg KH
2006-04-21 4:39 ` [patch 15/22] Open IPMI BT overflow Greg KH
2006-04-21 4:39 ` [patch 14/22] x86: be careful about tailcall breakage for sys_opentoo Greg KH
2006-04-21 4:39 ` [patch 22/22] Add more prevent_tail_call() Greg KH
2006-04-21 4:39 ` [patch 21/22] alim15x3: ULI M-1573 south Bridge support Greg KH
2006-04-21 4:40 ` [patch 20/22] apm: fix Armada laptops again Greg KH
2006-04-21 4:40 ` [patch 19/22] fbdev: Fix return error of fb_write Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060421043751.GE12846@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox