tun: fix tun_chr_aio_write so that aio works
aio_write gets const struct iovec * but tun_chr_aio_write casts this to struct iovec * and modifies the iovec. As a result, attempts to use io_submit to send packets to a tun device fail with weird errors such as EINVAL. Since tun is the only user of skb_copy_datagram_from_iovec, we can fix this simply by changing the later so that it does not touch the iovec passed to it. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
43b39dcdbd
commit
6f26c9a755
5 changed files with 30 additions and 17 deletions
|
@ -540,31 +540,34 @@ static inline struct sk_buff *tun_alloc_skb(struct tun_struct *tun,
|
|||
|
||||
/* Get packet from user space buffer */
|
||||
static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
|
||||
struct iovec *iv, size_t count,
|
||||
const struct iovec *iv, size_t count,
|
||||
int noblock)
|
||||
{
|
||||
struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
|
||||
struct sk_buff *skb;
|
||||
size_t len = count, align = 0;
|
||||
struct virtio_net_hdr gso = { 0 };
|
||||
int offset = 0;
|
||||
|
||||
if (!(tun->flags & TUN_NO_PI)) {
|
||||
if ((len -= sizeof(pi)) > count)
|
||||
return -EINVAL;
|
||||
|
||||
if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
|
||||
if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
|
||||
return -EFAULT;
|
||||
offset += sizeof(pi);
|
||||
}
|
||||
|
||||
if (tun->flags & TUN_VNET_HDR) {
|
||||
if ((len -= sizeof(gso)) > count)
|
||||
return -EINVAL;
|
||||
|
||||
if (memcpy_fromiovec((void *)&gso, iv, sizeof(gso)))
|
||||
if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
|
||||
return -EFAULT;
|
||||
|
||||
if (gso.hdr_len > len)
|
||||
return -EINVAL;
|
||||
offset += sizeof(pi);
|
||||
}
|
||||
|
||||
if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
|
||||
|
@ -581,7 +584,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
|
|||
return PTR_ERR(skb);
|
||||
}
|
||||
|
||||
if (skb_copy_datagram_from_iovec(skb, 0, iv, len)) {
|
||||
if (skb_copy_datagram_from_iovec(skb, 0, iv, offset, len)) {
|
||||
tun->dev->stats.rx_dropped++;
|
||||
kfree_skb(skb);
|
||||
return -EFAULT;
|
||||
|
@ -673,7 +676,7 @@ static ssize_t tun_chr_aio_write(struct kiocb *iocb, const struct iovec *iv,
|
|||
|
||||
DBG(KERN_INFO "%s: tun_chr_write %ld\n", tun->dev->name, count);
|
||||
|
||||
result = tun_get_user(tun, (struct iovec *)iv, iov_length(iv, count),
|
||||
result = tun_get_user(tun, iv, iov_length(iv, count),
|
||||
file->f_flags & O_NONBLOCK);
|
||||
|
||||
tun_put(tun);
|
||||
|
|
|
@ -1715,7 +1715,8 @@ extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
|
|||
struct iovec *iov);
|
||||
extern int skb_copy_datagram_from_iovec(struct sk_buff *skb,
|
||||
int offset,
|
||||
struct iovec *from,
|
||||
const struct iovec *from,
|
||||
int from_offset,
|
||||
int len);
|
||||
extern int skb_copy_datagram_const_iovec(const struct sk_buff *from,
|
||||
int offset,
|
||||
|
|
|
@ -309,8 +309,8 @@ struct ucred {
|
|||
|
||||
#ifdef __KERNEL__
|
||||
extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
|
||||
extern int memcpy_fromiovecend(unsigned char *kdata, struct iovec *iov,
|
||||
int offset, int len);
|
||||
extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
|
||||
int offset, int len);
|
||||
extern int csum_partial_copy_fromiovecend(unsigned char *kdata,
|
||||
struct iovec *iov,
|
||||
int offset,
|
||||
|
|
|
@ -435,13 +435,15 @@ EXPORT_SYMBOL(skb_copy_datagram_const_iovec);
|
|||
* @skb: buffer to copy
|
||||
* @offset: offset in the buffer to start copying to
|
||||
* @from: io vector to copy to
|
||||
* @from_offset: offset in the io vector to start copying from
|
||||
* @len: amount of data to copy to buffer from iovec
|
||||
*
|
||||
* Returns 0 or -EFAULT.
|
||||
* Note: the iovec is modified during the copy.
|
||||
* Note: the iovec is not modified during the copy.
|
||||
*/
|
||||
int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
|
||||
struct iovec *from, int len)
|
||||
const struct iovec *from, int from_offset,
|
||||
int len)
|
||||
{
|
||||
int start = skb_headlen(skb);
|
||||
int i, copy = start - offset;
|
||||
|
@ -450,11 +452,12 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
|
|||
if (copy > 0) {
|
||||
if (copy > len)
|
||||
copy = len;
|
||||
if (memcpy_fromiovec(skb->data + offset, from, copy))
|
||||
if (memcpy_fromiovecend(skb->data + offset, from, 0, copy))
|
||||
goto fault;
|
||||
if ((len -= copy) == 0)
|
||||
return 0;
|
||||
offset += copy;
|
||||
from_offset += copy;
|
||||
}
|
||||
|
||||
/* Copy paged appendix. Hmm... why does this look so complicated? */
|
||||
|
@ -473,8 +476,9 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
|
|||
if (copy > len)
|
||||
copy = len;
|
||||
vaddr = kmap(page);
|
||||
err = memcpy_fromiovec(vaddr + frag->page_offset +
|
||||
offset - start, from, copy);
|
||||
err = memcpy_fromiovecend(vaddr + frag->page_offset +
|
||||
offset - start,
|
||||
from, from_offset, copy);
|
||||
kunmap(page);
|
||||
if (err)
|
||||
goto fault;
|
||||
|
@ -482,6 +486,7 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
|
|||
if (!(len -= copy))
|
||||
return 0;
|
||||
offset += copy;
|
||||
from_offset += copy;
|
||||
}
|
||||
start = end;
|
||||
}
|
||||
|
@ -500,11 +505,14 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
|
|||
copy = len;
|
||||
if (skb_copy_datagram_from_iovec(list,
|
||||
offset - start,
|
||||
from, copy))
|
||||
from,
|
||||
from_offset,
|
||||
copy))
|
||||
goto fault;
|
||||
if ((len -= copy) == 0)
|
||||
return 0;
|
||||
offset += copy;
|
||||
from_offset += copy;
|
||||
}
|
||||
start = end;
|
||||
}
|
||||
|
|
|
@ -147,10 +147,11 @@ int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len)
|
|||
}
|
||||
|
||||
/*
|
||||
* For use with ip_build_xmit
|
||||
* Copy iovec from kernel. Returns -EFAULT on error.
|
||||
*/
|
||||
int memcpy_fromiovecend(unsigned char *kdata, struct iovec *iov, int offset,
|
||||
int len)
|
||||
|
||||
int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
|
||||
int offset, int len)
|
||||
{
|
||||
/* Skip over the finished iovecs */
|
||||
while (offset >= iov->iov_len) {
|
||||
|
|
Loading…
Reference in a new issue