From patchwork Tue Jul 30 09:31:03 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 263317 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id D0A392C0082 for ; Tue, 30 Jul 2013 19:41:14 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1V46QV-0002AT-QF; Tue, 30 Jul 2013 09:41:07 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1V46Ic-0007Bs-5q for kernel-team@lists.ubuntu.com; Tue, 30 Jul 2013 09:32:58 +0000 Received: from bl20-154-152.dsl.telepac.pt ([2.81.154.152] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1V46Ib-0003Yk-WA; Tue, 30 Jul 2013 09:32:58 +0000 From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Subject: [PATCH 044/106] macvtap: fix recovery from gup errors Date: Tue, 30 Jul 2013 10:31:03 +0100 Message-Id: <1375176725-5825-45-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.3.2 In-Reply-To: <1375176725-5825-1-git-send-email-luis.henriques@canonical.com> References: <1375176725-5825-1-git-send-email-luis.henriques@canonical.com> X-Extended-Stable: 3.5 Cc: "David S. Miller" , "Michael S. Tsirkin" X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com 3.5.7.18 -stable review patch. If anyone has any objections, please let me know. ------------------ From: "Michael S. Tsirkin" commit 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 upstream. get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Luis Henriques --- drivers/net/macvtap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c index 2ee56de..d566234 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -534,8 +534,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, return -EMSGSIZE; num_pages = get_user_pages_fast(base, size, 0, &page[i]); if (num_pages != size) { - for (i = 0; i < num_pages; i++) - put_page(page[i]); + int j; + + for (j = 0; j < num_pages; j++) + put_page(page[i + j]); return -EFAULT; } truesize = size * PAGE_SIZE;