Message ID | 1367271734-14379-1-git-send-email-bpoirier@suse.de |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Mon, 2013-04-29 at 17:42 -0400, Benjamin Poirier wrote: > "77c1090 net: fix infinite loop in __skb_recv_datagram()" (v3.8) introduced a > regression: > After that commit, recv can no longer peek beyond a 0-sized skb in the queue. > __skb_recv_datagram() instead stops at the first skb with len == 0 and results > in the system call failing with -EFAULT via skb_copy_datagram_iovec(). > > When peeking at an offset with 0-sized skb(s), each one of those is received > only once, in sequence. The offset starts moving forward again after receiving > datagrams with len > 0. > > Signed-off-by: Benjamin Poirier <bpoirier@suse.de> > > --- Acked-by: Eric Dumazet <edumazet@google.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Benjamin Poirier <bpoirier@suse.de> Date: Mon, 29 Apr 2013 17:42:12 -0400 > "77c1090 net: fix infinite loop in __skb_recv_datagram()" (v3.8) introduced a > regression: > After that commit, recv can no longer peek beyond a 0-sized skb in the queue. > __skb_recv_datagram() instead stops at the first skb with len == 0 and results > in the system call failing with -EFAULT via skb_copy_datagram_iovec(). > > When peeking at an offset with 0-sized skb(s), each one of those is received > only once, in sequence. The offset starts moving forward again after receiving > datagrams with len > 0. > > Signed-off-by: Benjamin Poirier <bpoirier@suse.de> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/datagram.c b/net/core/datagram.c index 368f9c3..99c4f52 100644 --- a/net/core/datagram.c +++ b/net/core/datagram.c @@ -187,7 +187,8 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned int flags, skb_queue_walk(queue, skb) { *peeked = skb->peeked; if (flags & MSG_PEEK) { - if (*off >= skb->len && skb->len) { + if (*off >= skb->len && (skb->len || *off || + skb->peeked)) { *off -= skb->len; continue; }
"77c1090 net: fix infinite loop in __skb_recv_datagram()" (v3.8) introduced a regression: After that commit, recv can no longer peek beyond a 0-sized skb in the queue. __skb_recv_datagram() instead stops at the first skb with len == 0 and results in the system call failing with -EFAULT via skb_copy_datagram_iovec(). When peeking at an offset with 0-sized skb(s), each one of those is received only once, in sequence. The offset starts moving forward again after receiving datagrams with len > 0. Signed-off-by: Benjamin Poirier <bpoirier@suse.de> --- * v1 fix the case when SO_PEEK_OFF is used to set sk_peek_off beyond a 0-sized skb * v2 also fix the situation when sk_peek_off must advance to and beyond a 0-sized skb net/core/datagram.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)