[PATCH net] tun: fix recovery from gup errors

[PATCH net] tun: fix recovery from gup errors

[Michael S. Tsirkin]

get user pages might fail partially in tun zero copy
mode. To recover we need to put all pages that we got,
but code used a wrong index resulting in double-free
errors.

Reported-by: Brad Hubbard <bhubbard@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

I haven't figured out why do we get failures,
but recovery is clearly wrong.

This is also -stable material.

 drivers/net/tun.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index bfa9bb4..c098b1e 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1010,8 +1010,9 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
 			return -EMSGSIZE;
 		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
 		if (num_pages != size) {
-			for (i = 0; i < num_pages; i++)
-				put_page(page[i]);
+			int j;
+			for (j = 0; j < num_pages; j++)
+				put_page(page[i + j]);
 			return -EFAULT;
 		}
 		truesize = size * PAGE_SIZE;
-- 
MST

Re: [PATCH net] tun: fix recovery from gup errors

[Sergei Shtylyov]

Hello.

On 23-06-2013 18:19, Michael S. Tsirkin wrote:

> get user pages might fail partially in tun zero copy
> mode. To recover we need to put all pages that we got,
> but code used a wrong index resulting in double-free
> errors.

> Reported-by: Brad Hubbard <bhubbard@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---

> I haven't figured out why do we get failures,
> but recovery is clearly wrong.

> This is also -stable material.

>   drivers/net/tun.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)

> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index bfa9bb4..c098b1e 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -1010,8 +1010,9 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
>   			return -EMSGSIZE;
>   		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
>   		if (num_pages != size) {
> -			for (i = 0; i < num_pages; i++)
> -				put_page(page[i]);
> +			int j;

   Empty line wouldn't hurt here, after declaration.

> +			for (j = 0; j < num_pages; j++)
> +				put_page(page[i + j]);

Re: [PATCH net] tun: fix recovery from gup errors

[Jason Wang]

On 06/23/2013 10:19 PM, Michael S. Tsirkin wrote:
> get user pages might fail partially in tun zero copy
> mode. To recover we need to put all pages that we got,
> but code used a wrong index resulting in double-free
> errors.
>
> Reported-by: Brad Hubbard <bhubbard@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> I haven't figured out why do we get failures,
> but recovery is clearly wrong.
>
> This is also -stable material.

Acked-by: Jason Wang <jasowang@redhat.com>
>  drivers/net/tun.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index bfa9bb4..c098b1e 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -1010,8 +1010,9 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
>  			return -EMSGSIZE;
>  		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
>  		if (num_pages != size) {
> -			for (i = 0; i < num_pages; i++)
> -				put_page(page[i]);
> +			int j;
> +			for (j = 0; j < num_pages; j++)
> +				put_page(page[i + j]);
>  			return -EFAULT;
>  		}
>  		truesize = size * PAGE_SIZE;

Re: [PATCH net] tun: fix recovery from gup errors

[Neil Horman]

On Sun, Jun 23, 2013 at 05:19:03PM +0300, Michael S. Tsirkin wrote:
> get user pages might fail partially in tun zero copy
> mode. To recover we need to put all pages that we got,
> but code used a wrong index resulting in double-free
> errors.
> 
> Reported-by: Brad Hubbard <bhubbard@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> 
> I haven't figured out why do we get failures,
> but recovery is clearly wrong.
> 
> This is also -stable material.
> 
>  drivers/net/tun.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

Re: [PATCH net] tun: fix recovery from gup errors

[Michael S. Tsirkin]

On Sun, Jun 23, 2013 at 07:36:21PM +0400, Sergei Shtylyov wrote:
> Hello.
> 
> On 23-06-2013 18:19, Michael S. Tsirkin wrote:
> 
> >get user pages might fail partially in tun zero copy
> >mode. To recover we need to put all pages that we got,
> >but code used a wrong index resulting in double-free
> >errors.
> 
> >Reported-by: Brad Hubbard <bhubbard@redhat.com>
> >Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> >---
> 
> >I haven't figured out why do we get failures,
> >but recovery is clearly wrong.
> 
> >This is also -stable material.
> 
> >  drivers/net/tun.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> >diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> >index bfa9bb4..c098b1e 100644
> >--- a/drivers/net/tun.c
> >+++ b/drivers/net/tun.c
> >@@ -1010,8 +1010,9 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
> >  			return -EMSGSIZE;
> >  		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
> >  		if (num_pages != size) {
> >-			for (i = 0; i < num_pages; i++)
> >-				put_page(page[i]);
> >+			int j;
> 
>   Empty line wouldn't hurt here, after declaration.
> 
> >+			for (j = 0; j < num_pages; j++)
> >+				put_page(page[i + j]);

I think it's clearer without: this is the only code
within this block, declaration is really part of
the loop that comes after it.
An empty line would break it up visually.

Re: [PATCH net] tun: fix recovery from gup errors

[David Miller]

From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 24 Jun 2013 15:54:12 +0300

> On Sun, Jun 23, 2013 at 07:36:21PM +0400, Sergei Shtylyov wrote:
>> Hello.
>> 
>> On 23-06-2013 18:19, Michael S. Tsirkin wrote:
>> 
>> >get user pages might fail partially in tun zero copy
>> >mode. To recover we need to put all pages that we got,
>> >but code used a wrong index resulting in double-free
>> >errors.
>> 
>> >Reported-by: Brad Hubbard <bhubbard@redhat.com>
>> >Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>> >---
>> 
>> >I haven't figured out why do we get failures,
>> >but recovery is clearly wrong.
>> 
>> >This is also -stable material.
>> 
>> >  drivers/net/tun.c | 5 +++--
>> >  1 file changed, 3 insertions(+), 2 deletions(-)
>> 
>> >diff --git a/drivers/net/tun.c b/drivers/net/tun.c
>> >index bfa9bb4..c098b1e 100644
>> >--- a/drivers/net/tun.c
>> >+++ b/drivers/net/tun.c
>> >@@ -1010,8 +1010,9 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
>> >  			return -EMSGSIZE;
>> >  		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
>> >  		if (num_pages != size) {
>> >-			for (i = 0; i < num_pages; i++)
>> >-				put_page(page[i]);
>> >+			int j;
>> 
>>   Empty line wouldn't hurt here, after declaration.
>> 
>> >+			for (j = 0; j < num_pages; j++)
>> >+				put_page(page[i + j]);
> 
> I think it's clearer without: this is the only code
> within this block, declaration is really part of
> the loop that comes after it.
> An empty line would break it up visually.

No, really, an empty line after local variable declarations please.

Re: [PATCH net] tun: fix recovery from gup errors

[David Miller]

From: Jason Wang <jasowang@redhat.com>
Date: Mon, 24 Jun 2013 11:22:52 +0800

> On 06/23/2013 10:19 PM, Michael S. Tsirkin wrote:
>> get user pages might fail partially in tun zero copy
>> mode. To recover we need to put all pages that we got,
>> but code used a wrong index resulting in double-free
>> errors.
>>
>> Reported-by: Brad Hubbard <bhubbard@redhat.com>
>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>> ---
>>
>> I haven't figured out why do we get failures,
>> but recovery is clearly wrong.
>>
>> This is also -stable material.
> 
> Acked-by: Jason Wang <jasowang@redhat.com>

Applied with the missing empty line added, I was tired of waiting for
Michael to take care of this himself.