Commit 6f26c9a7 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin Committed by David S. Miller

tun: fix tun_chr_aio_write so that aio works

aio_write gets const struct iovec * but tun_chr_aio_write casts this to struct
iovec * and modifies the iovec. As a result, attempts to use io_submit
to send packets to a tun device fail with weird errors such as EINVAL.

Since tun is the only user of skb_copy_datagram_from_iovec, we can
fix this simply by changing the later so that it does not
touch the iovec passed to it.
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 43b39dcd
...@@ -540,31 +540,34 @@ static inline struct sk_buff *tun_alloc_skb(struct tun_struct *tun, ...@@ -540,31 +540,34 @@ static inline struct sk_buff *tun_alloc_skb(struct tun_struct *tun,
/* Get packet from user space buffer */ /* Get packet from user space buffer */
static __inline__ ssize_t tun_get_user(struct tun_struct *tun, static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
struct iovec *iv, size_t count, const struct iovec *iv, size_t count,
int noblock) int noblock)
{ {
struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) }; struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
struct sk_buff *skb; struct sk_buff *skb;
size_t len = count, align = 0; size_t len = count, align = 0;
struct virtio_net_hdr gso = { 0 }; struct virtio_net_hdr gso = { 0 };
int offset = 0;
if (!(tun->flags & TUN_NO_PI)) { if (!(tun->flags & TUN_NO_PI)) {
if ((len -= sizeof(pi)) > count) if ((len -= sizeof(pi)) > count)
return -EINVAL; return -EINVAL;
if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi))) if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
return -EFAULT; return -EFAULT;
offset += sizeof(pi);
} }
if (tun->flags & TUN_VNET_HDR) { if (tun->flags & TUN_VNET_HDR) {
if ((len -= sizeof(gso)) > count) if ((len -= sizeof(gso)) > count)
return -EINVAL; return -EINVAL;
if (memcpy_fromiovec((void *)&gso, iv, sizeof(gso))) if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
return -EFAULT; return -EFAULT;
if (gso.hdr_len > len) if (gso.hdr_len > len)
return -EINVAL; return -EINVAL;
offset += sizeof(pi);
} }
if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) { if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
...@@ -581,7 +584,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, ...@@ -581,7 +584,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
return PTR_ERR(skb); return PTR_ERR(skb);
} }
if (skb_copy_datagram_from_iovec(skb, 0, iv, len)) { if (skb_copy_datagram_from_iovec(skb, 0, iv, offset, len)) {
tun->dev->stats.rx_dropped++; tun->dev->stats.rx_dropped++;
kfree_skb(skb); kfree_skb(skb);
return -EFAULT; return -EFAULT;
...@@ -673,7 +676,7 @@ static ssize_t tun_chr_aio_write(struct kiocb *iocb, const struct iovec *iv, ...@@ -673,7 +676,7 @@ static ssize_t tun_chr_aio_write(struct kiocb *iocb, const struct iovec *iv,
DBG(KERN_INFO "%s: tun_chr_write %ld\n", tun->dev->name, count); DBG(KERN_INFO "%s: tun_chr_write %ld\n", tun->dev->name, count);
result = tun_get_user(tun, (struct iovec *)iv, iov_length(iv, count), result = tun_get_user(tun, iv, iov_length(iv, count),
file->f_flags & O_NONBLOCK); file->f_flags & O_NONBLOCK);
tun_put(tun); tun_put(tun);
......
...@@ -1715,7 +1715,8 @@ extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, ...@@ -1715,7 +1715,8 @@ extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
struct iovec *iov); struct iovec *iov);
extern int skb_copy_datagram_from_iovec(struct sk_buff *skb, extern int skb_copy_datagram_from_iovec(struct sk_buff *skb,
int offset, int offset,
struct iovec *from, const struct iovec *from,
int from_offset,
int len); int len);
extern int skb_copy_datagram_const_iovec(const struct sk_buff *from, extern int skb_copy_datagram_const_iovec(const struct sk_buff *from,
int offset, int offset,
......
...@@ -309,7 +309,7 @@ struct ucred { ...@@ -309,7 +309,7 @@ struct ucred {
#ifdef __KERNEL__ #ifdef __KERNEL__
extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len); extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
extern int memcpy_fromiovecend(unsigned char *kdata, struct iovec *iov, extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
int offset, int len); int offset, int len);
extern int csum_partial_copy_fromiovecend(unsigned char *kdata, extern int csum_partial_copy_fromiovecend(unsigned char *kdata,
struct iovec *iov, struct iovec *iov,
......
...@@ -435,13 +435,15 @@ EXPORT_SYMBOL(skb_copy_datagram_const_iovec); ...@@ -435,13 +435,15 @@ EXPORT_SYMBOL(skb_copy_datagram_const_iovec);
* @skb: buffer to copy * @skb: buffer to copy
* @offset: offset in the buffer to start copying to * @offset: offset in the buffer to start copying to
* @from: io vector to copy to * @from: io vector to copy to
* @from_offset: offset in the io vector to start copying from
* @len: amount of data to copy to buffer from iovec * @len: amount of data to copy to buffer from iovec
* *
* Returns 0 or -EFAULT. * Returns 0 or -EFAULT.
* Note: the iovec is modified during the copy. * Note: the iovec is not modified during the copy.
*/ */
int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset, int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
struct iovec *from, int len) const struct iovec *from, int from_offset,
int len)
{ {
int start = skb_headlen(skb); int start = skb_headlen(skb);
int i, copy = start - offset; int i, copy = start - offset;
...@@ -450,11 +452,12 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset, ...@@ -450,11 +452,12 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
if (copy > 0) { if (copy > 0) {
if (copy > len) if (copy > len)
copy = len; copy = len;
if (memcpy_fromiovec(skb->data + offset, from, copy)) if (memcpy_fromiovecend(skb->data + offset, from, 0, copy))
goto fault; goto fault;
if ((len -= copy) == 0) if ((len -= copy) == 0)
return 0; return 0;
offset += copy; offset += copy;
from_offset += copy;
} }
/* Copy paged appendix. Hmm... why does this look so complicated? */ /* Copy paged appendix. Hmm... why does this look so complicated? */
...@@ -473,8 +476,9 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset, ...@@ -473,8 +476,9 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
if (copy > len) if (copy > len)
copy = len; copy = len;
vaddr = kmap(page); vaddr = kmap(page);
err = memcpy_fromiovec(vaddr + frag->page_offset + err = memcpy_fromiovecend(vaddr + frag->page_offset +
offset - start, from, copy); offset - start,
from, from_offset, copy);
kunmap(page); kunmap(page);
if (err) if (err)
goto fault; goto fault;
...@@ -482,6 +486,7 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset, ...@@ -482,6 +486,7 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
if (!(len -= copy)) if (!(len -= copy))
return 0; return 0;
offset += copy; offset += copy;
from_offset += copy;
} }
start = end; start = end;
} }
...@@ -500,11 +505,14 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset, ...@@ -500,11 +505,14 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
copy = len; copy = len;
if (skb_copy_datagram_from_iovec(list, if (skb_copy_datagram_from_iovec(list,
offset - start, offset - start,
from, copy)) from,
from_offset,
copy))
goto fault; goto fault;
if ((len -= copy) == 0) if ((len -= copy) == 0)
return 0; return 0;
offset += copy; offset += copy;
from_offset += copy;
} }
start = end; start = end;
} }
......
...@@ -147,10 +147,11 @@ int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len) ...@@ -147,10 +147,11 @@ int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len)
} }
/* /*
* For use with ip_build_xmit * Copy iovec from kernel. Returns -EFAULT on error.
*/ */
int memcpy_fromiovecend(unsigned char *kdata, struct iovec *iov, int offset,
int len) int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
int offset, int len)
{ {
/* Skip over the finished iovecs */ /* Skip over the finished iovecs */
while (offset >= iov->iov_len) { while (offset >= iov->iov_len) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment