Added fix for crashing response with large headers

There was a case when we exhaust all available room in skb
and tso_fragment couldn't correctly split such skb.

Now max size of skb data is:
SS_SKB_MAX_DATA_LEN (SKB_MAX_HEADER + MAX_SKB_FRAGS * PAGE_SIZE)

Author: const-t

fw/http_msg.c

@@ -1338,22 +1338,28 @@ tfw_http_msg_alloc_from_pool(TfwHttpTransIter *mit, TfwPool* pool, size_t size)
 	bool np;
 	char* addr;
 	TfwMsgIter *it = &mit->iter;
-	struct skb_shared_info *si = skb_shinfo(it->skb);
+	struct sk_buff *skb = it->skb;
+	struct skb_shared_info *si = skb_shinfo(skb);
 
 	addr = tfw_pool_alloc_not_align_np(pool, size, &np);
 	if (!addr)
 		return -ENOMEM;
 
-	if (np) {
-		r = ss_skb_add_frag(it->skb_head, it->skb, addr, ++it->frag,
-				    size);
+	if (np || it->frag == -1) {
+		r = ss_skb_add_frag(it->skb_head, skb, addr, ++it->frag, size);
 		if (unlikely(r))
 			return r;
+
+		if (it->frag == MAX_SKB_FRAGS - 1) {
+			it->frag = -1;
+			if (skb != it->skb_head)
+				it->skb = it->skb->next;
+		}
 	} else {
 		skb_frag_size_add(&si->frags[it->frag], size);
 	}
 
-	ss_skb_adjust_data_len(it->skb, size);
+	ss_skb_adjust_data_len(skb, size);
 	mit->curr_ptr = addr;
 
 	return 0;
@@ -1378,6 +1384,7 @@ tfw_http_msg_setup_transform_pool(TfwHttpTransIter *mit, TfwPool* pool)
 	unsigned int room = TFW_POOL_CHUNK_ROOM(pool);
 
 	BUG_ON(room < 0);
+	BUG_ON(mit->iter.frag > 0);
 
 	/* Alloc a full page if room smaller than MIN_FRAG_SIZE. */
 	if (room < MIN_HDR_FRAG_SIZE)
@@ -1411,15 +1418,18 @@ __tfw_http_msg_expand_from_pool(TfwHttpTransIter *mit, TfwPool* pool,
 				void cpy(void *dest, const void *src, size_t n))
 {
 	const TfwStr *c, *end;
-	unsigned int room, n_copy, rlen, off;
+	unsigned int room, skb_room, n_copy, rlen, off;
 	int r;
+	TfwMsgIter *it = &mit->iter;
 
-	BUG_ON(mit->iter.frag < 0);
+	BUG_ON(it->skb->len > SS_SKB_MAX_DATA_LEN);
 
 	TFW_STR_FOR_EACH_CHUNK(c, str, end) {
 		rlen = c->len;
 
 		while (rlen) {
+			unsigned char nr_frags;
+
 			room = TFW_POOL_CHUNK_ROOM(pool);
 			BUG_ON(room < 0);
 
@@ -1429,6 +1439,27 @@ __tfw_http_msg_expand_from_pool(TfwHttpTransIter *mit, TfwPool* pool,
 			 */
 			n_copy = room == 0 ? rlen : min(room, rlen);
 			off = c->len - rlen;
+			skb_room = SS_SKB_MAX_DATA_LEN - it->skb->len;
+			nr_frags = skb_shinfo(it->skb)->nr_frags;
+
+			if (skb_room == 0 || (it->skb == it->skb_head
+					      && it->frag == -1
+					      && nr_frags == MAX_SKB_FRAGS))
+			{
+				struct sk_buff *nskb;
+
+				nskb = ss_skb_alloc(0);
+				if (!nskb)
+					return -ENOMEM;
+				skb_shinfo(nskb)->tx_flags =
+					skb_shinfo(it->skb)->tx_flags;
+				ss_skb_insert_after(it->skb, nskb);
+				it->frag = -1;
+				it->skb = nskb;
+				skb_room = SS_SKB_MAX_DATA_LEN;
+			}
+
+			n_copy = min(n_copy, skb_room);
 
 			r = tfw_http_msg_alloc_from_pool(mit, pool, n_copy);
 			if (unlikely(r))

fw/ss_skb.c

@@ -173,21 +173,6 @@ __it_next_data(struct sk_buff *skb, int i, TfwStr *it, int *fragn)
 	}
 }
 
-/*
- * Insert @nskb in the list after @skb. Note that standard
- * kernel 'skb_insert()' function does not suit here, as it
- * works with 'sk_buff_head' structure with additional fields
- * @qlen and @lock; we don't need these fields for our skb
- * list, so a custom function had been introduced.
- */
-static inline void
-__skb_insert_after(struct sk_buff *skb, struct sk_buff *nskb)
-{
-	nskb->next = skb->next;
-	nskb->prev = skb;
-	nskb->next->prev = skb->next = nskb;
-}
-
 /**
  * Similar to skb_shift().
  * Make room for @n fragments starting with slot @from.
@@ -237,7 +222,7 @@ __extend_pgfrags(struct sk_buff *skb_head, struct sk_buff *skb, int from, int n)
 			if (nskb == NULL)
 				return -ENOMEM;
 			skb_shinfo(nskb)->tx_flags = skb_shinfo(skb)->tx_flags;
-			__skb_insert_after(skb, nskb);
+			ss_skb_insert_after(skb, nskb);
 			skb_shinfo(nskb)->nr_frags = n_excess;
 		}
 
@@ -1619,8 +1604,6 @@ ss_skb_add_frag(struct sk_buff *skb_head, struct sk_buff *skb, char* addr,
 	if (unlikely(r))
 		return r;
 
-	/* Will fall with sysctl_max_frags != MAX_SKB_FRAGS? */
-	skb = (frag_idx < MAX_SKB_FRAGS - 1) ? skb : skb->next;
 	__skb_fill_page_desc(skb, frag_idx, page, offset, frag_sz);
 	__skb_frag_ref(&skb_shinfo(skb)->frags[frag_idx]);
 

fw/ss_skb.h

@@ -166,6 +166,21 @@ ss_skb_queue_split(struct sk_buff *skb_head, struct sk_buff *skb)
 	skb_head->prev = prev;
 }
 
+/*
+ * Insert @nskb in the list after @skb. Note that standard
+ * kernel 'skb_insert()' function does not suit here, as it
+ * works with 'sk_buff_head' structure with additional fields
+ * @qlen and @lock; we don't need these fields for our skb
+ * list, so a custom function had been introduced.
+ */
+static inline void
+ss_skb_insert_after(struct sk_buff *skb, struct sk_buff *nskb)
+{
+	nskb->next = skb->next;
+	nskb->prev = skb;
+	nskb->next->prev = skb->next = nskb;
+}
+
 /**
  * Almost a copy of standard skb_dequeue() except it works with skb list
  * instead of sk_buff_head. Several crucial data include skb list and we don't