git.baikalelectronics.ru Git - kernel.git/commit

author	Al Viro <viro@ZenIV.linux.org.uk>
	Mon, 14 Aug 2017 19:31:38 +0000 (21:31 +0200)
committer	David S. Miller <davem@davemloft.net>
	Tue, 15 Aug 2017 05:26:51 +0000 (22:26 -0700)
commit	ee0d7727e044f46ab3a735d29cfed8feea8d44c5
tree	dc523c0b1f3b8b02f1ae3cfb43f216a79b781178	tree \| snapshot
parent	10b6de9427cdc9b0136df8c8f7b0522194f761e6	commit \| diff

udp: fix linear skb reception with PEEK_OFF

copy_linear_skb() is broken; both of its callers actually
expect 'len' to be the amount we are trying to copy,
not the offset of the end.
Fix it keeping the meanings of arguments in sync with what the
callers (both of them) expect.
Also restore a saner behavior on EFAULT (i.e. preserving
the iov_iter position in case of failure):

The commit a8359fbc6714 ("udp: harden copy_linear_skb()")
avoids the more destructive effect of the buggy
copy_linear_skb(), e.g. no more invalid memory access, but
said function still behaves incorrectly: when peeking with
offset it can fail with EINVAL instead of copying the
appropriate amount of memory.

Reported-by: Sasha Levin <alexander.levin@verizon.com>
Fixes: 7bf372f23f16 ("udp: try to avoid 2 cache miss on dequeue")
Fixes: a8359fbc6714 ("udp: harden copy_linear_skb()")
Signed-off-by: Al Viro <viro@ZenIV.linux.org.uk>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Tested-by: Sasha Levin <alexander.levin@verizon.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>