[NET]: Revert skb_copy_datagram_iovec() recursion elimination.

Revert the following changeset: bc8dfcb9 Recursive SKB frag lists are really possible and disallowing them breaks things. Noticed by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>

[NET]: Revert skb_copy_datagram_iovec() recursion elimination.
Revert the following changeset: bc8dfcb9 Recursive SKB frag lists are really possible and disallowing them breaks things. Noticed by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
b4d9eda0 · David S. Miller · 00de651d · b4d9eda0
Commit b4d9eda0 authored Feb 13, 2006 by David S. Miller
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 28 deletions

net/core/datagram.c net/core/datagram.c +53 -28

No files found.
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -247,49 +247,74 @@ EXPORT_SYMBOL(skb_kill_datagram);
 int skb_copy_datagram_iovec(const struct sk_buff *skb, int offset,
 			    struct iovec *to, int len)
 {
-	int i, err, fraglen, end = 0;
+	int start = skb_headlen(skb);
-	struct sk_buff *next = skb_shinfo(skb)->frag_list;
+	int i, copy = start - offset;
-	if (!len)
+	/* Copy header. */
-		return 0;
+	if (copy > 0) {
+		if (copy > len)
+			copy = len;
+		if (memcpy_toiovec(to, skb->data + offset, copy))
+			goto fault;
+		if ((len -= copy) == 0)
+			return 0;
+		offset += copy;
+	}
-next_skb:
+	/* Copy paged appendix. Hmm... why does this look so complicated? */
-	fraglen = skb_headlen(skb);
+	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
-	i = -1;
+		int end;
-	while (1) {
+		BUG_TRAP(start <= offset + len);
-		int start = end;
-		if ((end += fraglen) > offset) {
+		end = start + skb_shinfo(skb)->frags[i].size;
-			int copy = end - offset, o = offset - start;
+		if ((copy = end - offset) > 0) {
+			int err;
+			u8  *vaddr;
+			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
+			struct page *page = frag->page;
 			if (copy > len)
 				copy = len;
-			if (i == -1)
+			vaddr = kmap(page);
-				err = memcpy_toiovec(to, skb->data + o, copy);
+			err = memcpy_toiovec(to, vaddr + frag->page_offset +
-			else {
+					     offset - start, copy);
-				skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
+			kunmap(page);
-				struct page *page = frag->page;
-				void *p = kmap(page) + frag->page_offset + o;
-				err = memcpy_toiovec(to, p, copy);
-				kunmap(page);
-			}
 			if (err)
 				goto fault;
 			if (!(len -= copy))
 				return 0;
 			offset += copy;
 		}
-		if (++i >= skb_shinfo(skb)->nr_frags)
+		start = end;
-			break;
-		fraglen = skb_shinfo(skb)->frags[i].size;
 	}
-	if (next) {
-		skb = next;
+	if (skb_shinfo(skb)->frag_list) {
-		BUG_ON(skb_shinfo(skb)->frag_list);
+		struct sk_buff *list = skb_shinfo(skb)->frag_list;
-		next = skb->next;
-		goto next_skb;
+		for (; list; list = list->next) {
+			int end;
+			BUG_TRAP(start <= offset + len);
+			end = start + list->len;
+			if ((copy = end - offset) > 0) {
+				if (copy > len)
+					copy = len;
+				if (skb_copy_datagram_iovec(list,
+							    offset - start,
+							    to, copy))
+					goto fault;
+				if ((len -= copy) == 0)
+					return 0;
+				offset += copy;
+			}
+			start = end;
+		}
 	}
+	if (!len)
+		return 0;
 fault:
 	return -EFAULT;
 }