[PATCH] macvtap: fix TUNSETSNDBUF values

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] macvtap: fix TUNSETSNDBUF values > 64k
@ 2015-09-18 10:41 Michael S. Tsirkin
  2015-09-18 10:49 ` Christian Borntraeger
  2015-09-21  5:45 ` David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2015-09-18 10:41 UTC (permalink / raw)
  To: linux-kernel
  Cc: David S. Miller, Matthew Rosato, Christian Borntraeger, Al Viro,
	Jason Wang, David Gibson, Greg Kurz, Vlad Yasevich,
	Justin Cormack, Herbert Xu, netdev

Upon TUNSETSNDBUF,  macvtap reads the requested sndbuf size into
a local variable u.
commit 39ec7de7092b ("macvtap: fix uninitialized access on
TUNSETIFF") changed its type to u16 (which is the right thing to
do for all other macvtap ioctls), breaking all values > 64k.

The value of TUNSETSNDBUF is actually a signed 32 bit integer, so
the right thing to do is to read it into an int.

Cc: David S. Miller <davem@davemloft.net>
Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF")
Reported-by: Mark A. Peloquin
Bisected-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

This patch probably makes sense on stable.

 drivers/net/macvtap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index edd7734..248478c 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -1111,10 +1111,10 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
 		return 0;
 
 	case TUNSETSNDBUF:
-		if (get_user(u, up))
+		if (get_user(s, sp))
 			return -EFAULT;
 
-		q->sk.sk_sndbuf = u;
+		q->sk.sk_sndbuf = s;
 		return 0;
 
 	case TUNGETVNETHDRSZ:
-- 
MST

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] macvtap: fix TUNSETSNDBUF values > 64k
  2015-09-18 10:41 [PATCH] macvtap: fix TUNSETSNDBUF values > 64k Michael S. Tsirkin
@ 2015-09-18 10:49 ` Christian Borntraeger
  2015-09-18 10:50   ` Michael S. Tsirkin
  2015-09-21  5:45 ` David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: Christian Borntraeger @ 2015-09-18 10:49 UTC (permalink / raw)
  To: Michael S. Tsirkin, linux-kernel
  Cc: David S. Miller, Matthew Rosato, Al Viro, Jason Wang,
	David Gibson, Greg Kurz, Vlad Yasevich, Justin Cormack,
	Herbert Xu, netdev, Matthew Rosato

Am 18.09.2015 um 12:41 schrieb Michael S. Tsirkin:
> Upon TUNSETSNDBUF,  macvtap reads the requested sndbuf size into
> a local variable u.
> commit 39ec7de7092b ("macvtap: fix uninitialized access on
> TUNSETIFF") changed its type to u16 (which is the right thing to
> do for all other macvtap ioctls), breaking all values > 64k.
> 
> The value of TUNSETSNDBUF is actually a signed 32 bit integer, so
> the right thing to do is to read it into an int.
> 
> Cc: David S. Miller <davem@davemloft.net>
> Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF")
> Reported-by: Mark A. Peloquin
> Bisected-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
> Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

You can add
Tested-by:  Matthew Rosato <mjrosato@linux.vnet.ibm.com>
as this looks identical to an early version of my patch which was tested,
by Matt. (I send you the other version that changes back u as I felt that
u and up are named to identify unsigned)

and please add
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>

what about
CC: stable@vger.kernel.org

Christian

> ---
> 
> This patch probably makes sense on stable.
> 
>  drivers/net/macvtap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
> index edd7734..248478c 100644
> --- a/drivers/net/macvtap.c
> +++ b/drivers/net/macvtap.c
> @@ -1111,10 +1111,10 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
>  		return 0;
> 
>  	case TUNSETSNDBUF:
> -		if (get_user(u, up))
> +		if (get_user(s, sp))
>  			return -EFAULT;
> 
> -		q->sk.sk_sndbuf = u;
> +		q->sk.sk_sndbuf = s;
>  		return 0;
> 
>  	case TUNGETVNETHDRSZ:
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] macvtap: fix TUNSETSNDBUF values > 64k
  2015-09-18 10:49 ` Christian Borntraeger
@ 2015-09-18 10:50   ` Michael S. Tsirkin
  0 siblings, 0 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2015-09-18 10:50 UTC (permalink / raw)
  To: Christian Borntraeger
  Cc: linux-kernel, David S. Miller, Matthew Rosato, Al Viro,
	Jason Wang, David Gibson, Greg Kurz, Vlad Yasevich,
	Justin Cormack, Herbert Xu, netdev

On Fri, Sep 18, 2015 at 12:49:07PM +0200, Christian Borntraeger wrote:
> Am 18.09.2015 um 12:41 schrieb Michael S. Tsirkin:
> > Upon TUNSETSNDBUF,  macvtap reads the requested sndbuf size into
> > a local variable u.
> > commit 39ec7de7092b ("macvtap: fix uninitialized access on
> > TUNSETIFF") changed its type to u16 (which is the right thing to
> > do for all other macvtap ioctls), breaking all values > 64k.
> > 
> > The value of TUNSETSNDBUF is actually a signed 32 bit integer, so
> > the right thing to do is to read it into an int.
> > 
> > Cc: David S. Miller <davem@davemloft.net>
> > Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF")
> > Reported-by: Mark A. Peloquin
> > Bisected-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
> > Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> 
> You can add
> Tested-by:  Matthew Rosato <mjrosato@linux.vnet.ibm.com>
> as this looks identical to an early version of my patch which was tested,
> by Matt. (I send you the other version that changes back u as I felt that
> u and up are named to identify unsigned)
> 
> and please add
> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
> 
> what about
> CC: stable@vger.kernel.org
> 
> Christian

David Miller adds that himself for netdev patches.

> > ---
> > 
> > This patch probably makes sense on stable.
> > 
> >  drivers/net/macvtap.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
> > index edd7734..248478c 100644
> > --- a/drivers/net/macvtap.c
> > +++ b/drivers/net/macvtap.c
> > @@ -1111,10 +1111,10 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
> >  		return 0;
> > 
> >  	case TUNSETSNDBUF:
> > -		if (get_user(u, up))
> > +		if (get_user(s, sp))
> >  			return -EFAULT;
> > 
> > -		q->sk.sk_sndbuf = u;
> > +		q->sk.sk_sndbuf = s;
> >  		return 0;
> > 
> >  	case TUNGETVNETHDRSZ:
> > 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] macvtap: fix TUNSETSNDBUF values > 64k
  2015-09-18 10:41 [PATCH] macvtap: fix TUNSETSNDBUF values > 64k Michael S. Tsirkin
  2015-09-18 10:49 ` Christian Borntraeger
@ 2015-09-21  5:45 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2015-09-21  5:45 UTC (permalink / raw)
  To: mst
  Cc: linux-kernel, mjrosato, borntraeger, viro, jasowang, david, gkurz,
	vyasevich, justin, herbert, netdev

From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Fri, 18 Sep 2015 13:41:09 +0300

> Upon TUNSETSNDBUF,  macvtap reads the requested sndbuf size into
> a local variable u.
> commit 39ec7de7092b ("macvtap: fix uninitialized access on
> TUNSETIFF") changed its type to u16 (which is the right thing to
> do for all other macvtap ioctls), breaking all values > 64k.
> 
> The value of TUNSETSNDBUF is actually a signed 32 bit integer, so
> the right thing to do is to read it into an int.
> 
> Cc: David S. Miller <davem@davemloft.net>
> Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF")
> Reported-by: Mark A. Peloquin
> Bisected-by: Matthew Rosato <mjrosato@linux.vnet.ibm.com>
> Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Applied and queued up for -stable, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-09-21  5:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-18 10:41 [PATCH] macvtap: fix TUNSETSNDBUF values > 64k Michael S. Tsirkin
2015-09-18 10:49 ` Christian Borntraeger
2015-09-18 10:50   ` Michael S. Tsirkin
2015-09-21  5:45 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).