From: jamal <redacted>
Date: Wed, 02 Jun 2010 08:20:19 -0400

I am suprised we never caught this all this years and wondering why
this never crashed in your example?

Well for one thing there is all sorts of "stuff" past the end of the
valid skb->data area.  For example, there is some padding and then
there is skb_shared_info().

Furthermore, the kernel allocator can round up the size it uses for
SLAB objects which gives even more padding past the end of even
skb_shared_info().

Futrhermore, the chance of the page past the page skb->data is in
being invalid is very low.  You'd have to have invalid memory in the
page after the skb->data.

All of this conspires to just letting blind reads work in a large
number of illegal cases.