@@ -641,7 +641,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control,
struct sk_buff *skb;
struct tap_dev *tap;
unsigned long total_len = iov_iter_count(from);
- unsigned long len = total_len;
+ unsigned long len;
int err;
struct virtio_net_hdr vnet_hdr = { 0 };
int vnet_hdr_len = 0;
@@ -655,9 +655,8 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control,
vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz);
err = -EINVAL;
- if (len < vnet_hdr_len)
+ if (iov_iter_count(from) < vnet_hdr_len)
goto err;
- len -= vnet_hdr_len;
err = -EFAULT;
if (!copy_from_iter_full(&vnet_hdr, sizeof(vnet_hdr), from))
@@ -671,10 +670,12 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control,
tap16_to_cpu(q, vnet_hdr.csum_start) +
tap16_to_cpu(q, vnet_hdr.csum_offset) + 2);
err = -EINVAL;
- if (tap16_to_cpu(q, vnet_hdr.hdr_len) > len)
+ if (tap16_to_cpu(q, vnet_hdr.hdr_len) > iov_iter_count(from))
goto err;
}
+ len = iov_iter_count(from);
+
err = -EINVAL;
if (unlikely(len < ETH_HLEN))
goto err;
tap_get_user() used to track the length of iov_iter with another variable. We can use iov_iter_count() to determine the current length to avoid such chores. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> --- drivers/net/tap.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)