[NET]: Make skb_seq_read unmap the last fragment

Having walked through the entire skbuff, skb_seq_read would leave the last fragment mapped. As a consequence, the unwary caller would leak kmaps, and proceed with preempt_count off by one. The only (kind of non-intuitive) workaround is to use skb_seq_read_abort. This patch makes sure skb_seq_read always unmaps frag_data after having cycled through the skb's paged part. Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>

[NET]: Make skb_seq_read unmap the last fragment
Having walked through the entire skbuff, skb_seq_read would leave the last fragment mapped. As a consequence, the unwary caller would leak kmaps, and proceed with preempt_count off by one. The only (kind of non-intuitive) workaround is to use skb_seq_read_abort. This patch makes sure skb_seq_read always unmaps frag_data after having cycled through the skb's paged part. Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
5b5a60da · Olaf Kirch · David S. Miller · 515e06c4 · 5b5a60da
Commit 5b5a60da authored Jun 23, 2007 by Olaf Kirch Committed by David S. Miller Jun 23, 2007
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

net/core/skbuff.c net/core/skbuff.c +5 -0

No files found.
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1706,6 +1706,11 @@ unsigned int skb_seq_read(unsigned int consumed, const u8 **data,
 		st->stepped_offset += frag->size;
 	}
+	if (st->frag_data) {
+		kunmap_skb_frag(st->frag_data);
+		st->frag_data = NULL;
+	}
 	if (st->cur_skb->next) {
 		st->cur_skb = st->cur_skb->next;
 		st->frag_idx = 0;