From patchwork Fri Sep 18 07:54:44 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Borntraeger X-Patchwork-Id: 7213621 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id C87409F6DA for ; Fri, 18 Sep 2015 07:54:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E28CF208B1 for ; Fri, 18 Sep 2015 07:54:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E181420890 for ; Fri, 18 Sep 2015 07:54:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752632AbbIRHyb (ORCPT ); Fri, 18 Sep 2015 03:54:31 -0400 Received: from e06smtp17.uk.ibm.com ([195.75.94.113]:50190 "EHLO e06smtp17.uk.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751996AbbIRHy3 (ORCPT ); Fri, 18 Sep 2015 03:54:29 -0400 Received: from /spool/local by e06smtp17.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 18 Sep 2015 08:54:27 +0100 Received: from d06dlp02.portsmouth.uk.ibm.com (9.149.20.14) by e06smtp17.uk.ibm.com (192.168.101.147) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 18 Sep 2015 08:54:26 +0100 X-Helo: d06dlp02.portsmouth.uk.ibm.com X-MailFrom: borntraeger@de.ibm.com X-RcptTo: stable@vger.kernel.org Received: from b06cxnps4074.portsmouth.uk.ibm.com (d06relay11.portsmouth.uk.ibm.com [9.149.109.196]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id B92082190046; Fri, 18 Sep 2015 08:53:56 +0100 (BST) Received: from d06av08.portsmouth.uk.ibm.com (d06av08.portsmouth.uk.ibm.com [9.149.37.249]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id t8I7sP6D33947826; Fri, 18 Sep 2015 07:54:25 GMT Received: from d06av08.portsmouth.uk.ibm.com (localhost [127.0.0.1]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id t8I7sO84005376; Fri, 18 Sep 2015 01:54:25 -0600 Received: from tuxmaker.boeblingen.de.ibm.com (tuxmaker.boeblingen.de.ibm.com [9.152.85.9]) by d06av08.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id t8I7sOdo005361 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 18 Sep 2015 01:54:24 -0600 Received: by tuxmaker.boeblingen.de.ibm.com (Postfix, from userid 25651) id 7547420F20D; Fri, 18 Sep 2015 09:54:24 +0200 (CEST) From: Christian Borntraeger To: "Michael S. Tsirkin" Cc: stable@vger.kernel.org, netdev@vger.kernel.org, Matthew Rosato , kvm@vger.kernel.org, "David S. Miller" , Christian Borntraeger Subject: [PATCH 1/1] macvtap: Fix regression for macvtap ioctls Date: Fri, 18 Sep 2015 09:54:44 +0200 Message-Id: <1442562884-27310-2-git-send-email-borntraeger@de.ibm.com> X-Mailer: git-send-email 2.3.0 In-Reply-To: <1442562884-27310-1-git-send-email-borntraeger@de.ibm.com> References: <1442562884-27310-1-git-send-email-borntraeger@de.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 15091807-0029-0000-0000-00000672B748 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP To avoid overwriting the upper bits of the flags, commit 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF") changed the variable u from unsigned int to unsigned short and added some ORing logic for the flags. This introduced at least one regression: - TUNSETSNDBUF supports int as its size and also uses the now short u as buffer - this breaks any sendbuf size > 64k Let's change u back to unsigned int, keep the ORing and handle the overwrite issue with casts and masking. Cc: Michael S. Tsirkin Cc: David S. Miller Reported-by: Mark A. Peloquin Bisected-by: Matthew Rosato Signed-off-by: Christian Borntraeger Fixes: 39ec7de7092b ("macvtap: fix uninitialized access on TUNSETIFF") Cc: stable@vger.kernel.org --- drivers/net/macvtap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c index edd7734..c33fe41 100644 --- a/drivers/net/macvtap.c +++ b/drivers/net/macvtap.c @@ -1060,7 +1060,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, void __user *argp = (void __user *)arg; struct ifreq __user *ifr = argp; unsigned int __user *up = argp; - unsigned short u; + unsigned int u; int __user *sp = argp; struct sockaddr sa; int s; @@ -1076,7 +1076,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, if ((u & ~MACVTAP_FEATURES) != (IFF_NO_PI | IFF_TAP)) ret = -EINVAL; else - q->flags = (q->flags & ~MACVTAP_FEATURES) | u; + q->flags = (q->flags & ~MACVTAP_FEATURES) | (short) u; return ret; @@ -1089,9 +1089,8 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd, } ret = 0; - u = q->flags; if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) || - put_user(u, &ifr->ifr_flags)) + put_user((short) q->flags, &ifr->ifr_flags)) ret = -EFAULT; macvtap_put_vlan(vlan); rtnl_unlock();