From fe324f69901af83cb16ee086f3d284e67ed36e33 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Tue, 6 Dec 2016 08:49:41 -0800 Subject: [PATCH] Linux v4.9-rc8-9-gd9d0452 - Fix DMA from stack in virtio-net (rhbz 1401612) --- gitrev | 2 +- kernel.spec | 9 +- sources | 1 + ...the-stack-in-virtnet_set_mac_address.patch | 82 +++++++++++++++++++ 4 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 virtio-net-Fix-DMA-from-the-stack-in-virtnet_set_mac_address.patch diff --git a/gitrev b/gitrev index b588bc480..53f46bc23 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -2caceb3294a78c389b462e7e236a4e744a53a474 +d9d04527c79f0f7d9186272866526e871ef4ac6f diff --git a/kernel.spec b/kernel.spec index e4d9499e7..27c874fab 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 8 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -621,6 +621,9 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch #ongoing complaint, full discussion delayed until ksummit/plumbers Patch849: 0001-iio-Use-event-header-from-kernel-tree.patch +#rhbz 1401612 +Patch850: virtio-net-Fix-DMA-from-the-stack-in-virtnet_set_mac_address.patch + # END OF PATCH DEFINITIONS %endif @@ -2168,6 +2171,10 @@ fi # # %changelog +* Tue Dec 06 2016 Laura Abbott - 4.9.0-0.rc8.git1.1 +- Linux v4.9-rc8-9-gd9d0452 +- Fix DMA from stack in virtio-net (rhbz 1401612) + * Tue Dec 06 2016 Laura Abbott - Reenable debugging options. diff --git a/sources b/sources index efa88936e..dd9c85159 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ c1af0afbd3df35c1ccdc7a5118cd2d07 linux-4.8.tar.xz 0dad03f586e835d538d3e0d2cbdb9a28 perf-man-4.8.tar.gz 0325bf5c99db7ad4317707afe23aa954 patch-4.9-rc8.xz +8d3883138f338758fd9651ae6259e95b patch-4.9-rc8-git1.xz diff --git a/virtio-net-Fix-DMA-from-the-stack-in-virtnet_set_mac_address.patch b/virtio-net-Fix-DMA-from-the-stack-in-virtnet_set_mac_address.patch new file mode 100644 index 000000000..1a392f929 --- /dev/null +++ b/virtio-net-Fix-DMA-from-the-stack-in-virtnet_set_mac_address.patch @@ -0,0 +1,82 @@ +From patchwork Tue Dec 6 02:10:58 2016 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: virtio-net: Fix DMA-from-the-stack in virtnet_set_mac_address() +From: Andy Lutomirski +X-Patchwork-Id: 702984 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: +To: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, + Andy Lutomirski , + "Michael S . Tsirkin" , Jason Wang , + Laura Abbott +Date: Mon, 5 Dec 2016 18:10:58 -0800 + +With CONFIG_VMAP_STACK=y, virtnet_set_mac_address() can be passed a +pointer to the stack and it will OOPS. Copy the address to the heap +to prevent the crash. + +Cc: Michael S. Tsirkin +Cc: Jason Wang +Cc: Laura Abbott +Reported-by: zbyszek@in.waw.pl +Signed-off-by: Andy Lutomirski +Acked-by: Jason Wang +Acked-by: Michael S. Tsirkin +--- + +Very lightly tested. + + drivers/net/virtio_net.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 7276d5a95bd0..cbf1c613c67a 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -969,12 +969,17 @@ static int virtnet_set_mac_address(struct net_device *dev, void *p) + struct virtnet_info *vi = netdev_priv(dev); + struct virtio_device *vdev = vi->vdev; + int ret; +- struct sockaddr *addr = p; ++ struct sockaddr *addr; + struct scatterlist sg; + +- ret = eth_prepare_mac_addr_change(dev, p); ++ addr = kmalloc(sizeof(*addr), GFP_KERNEL); ++ if (!addr) ++ return -ENOMEM; ++ memcpy(addr, p, sizeof(*addr)); ++ ++ ret = eth_prepare_mac_addr_change(dev, addr); + if (ret) +- return ret; ++ goto out; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_CTRL_MAC_ADDR)) { + sg_init_one(&sg, addr->sa_data, dev->addr_len); +@@ -982,7 +987,8 @@ static int virtnet_set_mac_address(struct net_device *dev, void *p) + VIRTIO_NET_CTRL_MAC_ADDR_SET, &sg)) { + dev_warn(&vdev->dev, + "Failed to set mac address by vq command.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out; + } + } else if (virtio_has_feature(vdev, VIRTIO_NET_F_MAC) && + !virtio_has_feature(vdev, VIRTIO_F_VERSION_1)) { +@@ -996,8 +1002,11 @@ static int virtnet_set_mac_address(struct net_device *dev, void *p) + } + + eth_commit_mac_addr_change(dev, p); ++ ret = 0; + +- return 0; ++out: ++ kfree(addr); ++ return ret; + } + + static struct rtnl_link_stats64 *virtnet_stats(struct net_device *dev,