From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33483)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1Xtvdk-0006C8-3F
	for qemu-devel@nongnu.org; Thu, 27 Nov 2014 04:45:36 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1Xtvdg-0008Tb-2t
	for qemu-devel@nongnu.org; Thu, 27 Nov 2014 04:45:32 -0500
Message-ID: <5476F2AE.60307@redhat.com>
Date: Thu, 27 Nov 2014 17:45:18 +0800
From: Jason Wang <jasowang@redhat.com>
MIME-Version: 1.0
References: <1417067965-9159-1-git-send-email-jasowang@redhat.com>
	<20141127090801.GA10195@fam-t430.nay.redhat.com>
In-Reply-To: <20141127090801.GA10195@fam-t430.nay.redhat.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [Qemu-stable] [2.2 PATCH] virtio-net: fix unmap
 leak
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Fam Zheng <famz@redhat.com>
Cc: mst@redhat.com, qemu-stable@nongnu.org, aliguori@amazon.com, qemu-devel@nongnu.org


On 11/27/2014 05:08 PM, Fam Zheng wrote:
> On Thu, 11/27 13:59, Jason Wang wrote:
>> > virtio_net_handle_ctrl() and other functions that process control vq
>> > request call iov_discard_front() which will shorten the iov. This will
>> > lead unmapping in virtqueue_push() leaks mapping.
>> > 
>> > Fixes this by keeping the original iov untouched and using a temp variable
>> > in those functions.
>> > 
>> > Cc: Wen Congyang <wency@cn.fujitsu.com>
>> > Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
>> > Cc: qemu-stable@nongnu.org
>> > Signed-off-by: Jason Wang <jasowang@redhat.com>
>> > ---
>> >  hw/net/virtio-net.c | 9 +++++++--
>> >  1 file changed, 7 insertions(+), 2 deletions(-)
>> > 
>> > diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
>> > index 9b88775..fdb4edd 100644
>> > --- a/hw/net/virtio-net.c
>> > +++ b/hw/net/virtio-net.c
>> > @@ -798,7 +798,7 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
>> >      virtio_net_ctrl_ack status = VIRTIO_NET_ERR;
>> >      VirtQueueElement elem;
>> >      size_t s;
>> > -    struct iovec *iov;
>> > +    struct iovec *iov, *iov2;
>> >      unsigned int iov_cnt;
>> >  
>> >      while (virtqueue_pop(vq, &elem)) {
>> > @@ -808,8 +808,12 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
>> >              exit(1);
>> >          }
>> >  
>> > -        iov = elem.out_sg;
>> >          iov_cnt = elem.out_num;
>> > +        s = sizeof(struct iovec) * elem.out_num;
>> > +        iov = g_malloc(s);
>> > +        memcpy(iov, elem.out_sg, s);
> This could be
>
> iov = g_memdup(elem.out_sg, sizeof(struct iovect) * elem.out_num);
>
> Fam
>

Right, will post V2.

Thanks