From: Herbert Xu <herbert.xu@redhat.com> Subject: [RHEL5.1 PATCH] [XEN] netloop: Do not clobber cloned skb page frags Date: Wed, 1 Aug 2007 21:35:59 +0800 Bugzilla: 249683 Message-Id: <20070801133559.GA3907@gondor.apana.org.au> Changelog: [XEN] netloop: Do not clobber cloned skb page frags Hi: RHEL5.1 BZ 249683 May also fix 246304 This is not yet submitted upstream to Xen but I'll do it right now. I do not forsee any problems there. [XEN] netloop: Do not clobber cloned skb page frags The netloop driver tries to localise foreign mappings by copying them. Unfortunately, it does so by directly modifying skb page frags without checking whether the skb is cloned or not. In fact, the packet is going to be cloned more often than not. This may result in either data corruption on DMA or a page fault in dom0 which kills the whole machine. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- diff -r 88a17da7f336 drivers/xen/netback/loopback.c --- a/drivers/xen/netback/loopback.c Thu Jul 26 16:36:52 2007 +0100 +++ b/drivers/xen/netback/loopback.c Tue Jul 31 18:59:11 2007 +0800 @@ -99,6 +99,10 @@ static int skb_remove_foreign_references BUG_ON(skb_shinfo(skb)->frag_list); + if (skb_cloned(skb) && + unlikely(pskb_expand_head(skb, 0, 0, GFP_ATOMIC))) + return 0; + for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { pfn = page_to_pfn(skb_shinfo(skb)->frags[i].page); if (!is_foreign(pfn))