tun: fix tun_chr_aio_write so that aio works
authorMichael S. Tsirkin <mst@redhat.com>
Mon, 20 Apr 2009 01:26:11 +0000 (01:26 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 21 Apr 2009 12:42:46 +0000 (05:42 -0700)
aio_write gets const struct iovec * but tun_chr_aio_write casts this to struct
iovec * and modifies the iovec. As a result, attempts to use io_submit
to send packets to a tun device fail with weird errors such as EINVAL.

Since tun is the only user of skb_copy_datagram_from_iovec, we can
fix this simply by changing the later so that it does not
touch the iovec passed to it.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/tun.c
include/linux/skbuff.h
include/linux/socket.h
net/core/datagram.c
net/core/iovec.c

index 3b513e29d392acae3f8b47cd064eab4a8f03c35d..589f0ca668d6a45f9100af7d39f46ef63929439a 100644 (file)
@@ -540,31 +540,34 @@ static inline struct sk_buff *tun_alloc_skb(struct tun_struct *tun,
 
 /* Get packet from user space buffer */
 static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
-                                      struct iovec *iv, size_t count,
+                                      const struct iovec *iv, size_t count,
                                       int noblock)
 {
        struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
        struct sk_buff *skb;
        size_t len = count, align = 0;
        struct virtio_net_hdr gso = { 0 };
+       int offset = 0;
 
        if (!(tun->flags & TUN_NO_PI)) {
                if ((len -= sizeof(pi)) > count)
                        return -EINVAL;
 
-               if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))
+               if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
                        return -EFAULT;
+               offset += sizeof(pi);
        }
 
        if (tun->flags & TUN_VNET_HDR) {
                if ((len -= sizeof(gso)) > count)
                        return -EINVAL;
 
-               if (memcpy_fromiovec((void *)&gso, iv, sizeof(gso)))
+               if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
                        return -EFAULT;
 
                if (gso.hdr_len > len)
                        return -EINVAL;
+               offset += sizeof(pi);
        }
 
        if ((tun->flags & TUN_TYPE_MASK) == TUN_TAP_DEV) {
@@ -581,7 +584,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun,
                return PTR_ERR(skb);
        }
 
-       if (skb_copy_datagram_from_iovec(skb, 0, iv, len)) {
+       if (skb_copy_datagram_from_iovec(skb, 0, iv, offset, len)) {
                tun->dev->stats.rx_dropped++;
                kfree_skb(skb);
                return -EFAULT;
@@ -673,7 +676,7 @@ static ssize_t tun_chr_aio_write(struct kiocb *iocb, const struct iovec *iv,
 
        DBG(KERN_INFO "%s: tun_chr_write %ld\n", tun->dev->name, count);
 
-       result = tun_get_user(tun, (struct iovec *)iv, iov_length(iv, count),
+       result = tun_get_user(tun, iv, iov_length(iv, count),
                              file->f_flags & O_NONBLOCK);
 
        tun_put(tun);
index af2b21bdda83b3e3535c633bf65886445f06274d..1b5c3d298f43666a634a226eeb67a9e14b55748a 100644 (file)
@@ -1715,7 +1715,8 @@ extern int               skb_copy_and_csum_datagram_iovec(struct sk_buff *skb,
                                                        struct iovec *iov);
 extern int            skb_copy_datagram_from_iovec(struct sk_buff *skb,
                                                    int offset,
-                                                   struct iovec *from,
+                                                   const struct iovec *from,
+                                                   int from_offset,
                                                    int len);
 extern int            skb_copy_datagram_const_iovec(const struct sk_buff *from,
                                                     int offset,
index 171b08db9c4f4d69524529643dafc4b16bd1e437..42a0396f2c59c79d597dd8be6ee5e470755bb0a8 100644 (file)
@@ -309,8 +309,8 @@ struct ucred {
 
 #ifdef __KERNEL__
 extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
-extern int memcpy_fromiovecend(unsigned char *kdata, struct iovec *iov, 
-                               int offset, int len);
+extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+                              int offset, int len);
 extern int csum_partial_copy_fromiovecend(unsigned char *kdata, 
                                          struct iovec *iov, 
                                          int offset, 
index 4dbb05cd572b9be22b1a17aee2dd4bc49be49f06..914d5fa773b4fe828cc4fb35683d3b31ccf67277 100644 (file)
@@ -435,13 +435,15 @@ EXPORT_SYMBOL(skb_copy_datagram_const_iovec);
  *     @skb: buffer to copy
  *     @offset: offset in the buffer to start copying to
  *     @from: io vector to copy to
+ *     @from_offset: offset in the io vector to start copying from
  *     @len: amount of data to copy to buffer from iovec
  *
  *     Returns 0 or -EFAULT.
- *     Note: the iovec is modified during the copy.
+ *     Note: the iovec is not modified during the copy.
  */
 int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
-                                struct iovec *from, int len)
+                                const struct iovec *from, int from_offset,
+                                int len)
 {
        int start = skb_headlen(skb);
        int i, copy = start - offset;
@@ -450,11 +452,12 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
        if (copy > 0) {
                if (copy > len)
                        copy = len;
-               if (memcpy_fromiovec(skb->data + offset, from, copy))
+               if (memcpy_fromiovecend(skb->data + offset, from, 0, copy))
                        goto fault;
                if ((len -= copy) == 0)
                        return 0;
                offset += copy;
+               from_offset += copy;
        }
 
        /* Copy paged appendix. Hmm... why does this look so complicated? */
@@ -473,8 +476,9 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
                        if (copy > len)
                                copy = len;
                        vaddr = kmap(page);
-                       err = memcpy_fromiovec(vaddr + frag->page_offset +
-                                              offset - start, from, copy);
+                       err = memcpy_fromiovecend(vaddr + frag->page_offset +
+                                                 offset - start,
+                                                 from, from_offset, copy);
                        kunmap(page);
                        if (err)
                                goto fault;
@@ -482,6 +486,7 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
                        if (!(len -= copy))
                                return 0;
                        offset += copy;
+                       from_offset += copy;
                }
                start = end;
        }
@@ -500,11 +505,14 @@ int skb_copy_datagram_from_iovec(struct sk_buff *skb, int offset,
                                        copy = len;
                                if (skb_copy_datagram_from_iovec(list,
                                                                 offset - start,
-                                                                from, copy))
+                                                                from,
+                                                                from_offset,
+                                                                copy))
                                        goto fault;
                                if ((len -= copy) == 0)
                                        return 0;
                                offset += copy;
+                               from_offset += copy;
                        }
                        start = end;
                }
index a215545c0a345679af5929d675737739f17b33f5..40a76ce19d9fddfb90d2b21f282135e4d1bef239 100644 (file)
@@ -147,10 +147,11 @@ int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len)
 }
 
 /*
- *     For use with ip_build_xmit
+ *     Copy iovec from kernel. Returns -EFAULT on error.
  */
-int memcpy_fromiovecend(unsigned char *kdata, struct iovec *iov, int offset,
-                       int len)
+
+int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+                       int offset, int len)
 {
        /* Skip over the finished iovecs */
        while (offset >= iov->iov_len) {