Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932267AbbD1C51 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 27 Apr 2015 22:57:27 -0400
Received: from mail-bl2on0119.outbound.protection.outlook.com ([65.55.169.119]:40672
	"EHLO na01-bl2-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1752859AbbD1C5U convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 27 Apr 2015 22:57:20 -0400
Authentication-Results: spf=pass (sender IP is 206.191.229.116)
 smtp.mailfrom=microsoft.com; davemloft.net; dkim=none (message not signed)
 header.d=none;
From: Dexuan Cui <decui@microsoft.com>
To: KY Srinivasan <kys@microsoft.com>,
        "davem@davemloft.net" <davem@davemloft.net>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "devel@linuxdriverproject.org" <devel@linuxdriverproject.org>,
        "olaf@aepfle.de" <olaf@aepfle.de>,
        "apw@canonical.com" <apw@canonical.com>,
        "jasowang@redhat.com" <jasowang@redhat.com>
Subject: RE: [PATCH net 1/1] hv_netvsc: Fix a bug in netvsc_start_xmit()
Thread-Topic: [PATCH net 1/1] hv_netvsc: Fix a bug in netvsc_start_xmit()
Thread-Index: AQHQgUW6L+9bpFgbFE+YmVAyXOKcap1hunlw
Date: Tue, 28 Apr 2015 02:57:12 +0000
Message-ID: <98aada63cb294d9ea4eb7807ccb42baa@SIXPR30MB031.064d.mgd.msft.net>
References: <1430183690-24198-1-git-send-email-kys@microsoft.com>
In-Reply-To: <1430183690-24198-1-git-send-email-kys@microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [141.251.57.68]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:206.191.229.116;CTRY:US;IPV:NLI;EFV:NLI;BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(438002)(51704005)(164054003)(13464003)(199003)(189002)(50986999)(23726002)(2501003)(47776003)(46102003)(50466002)(2656002)(16796002)(2561002)(2201001)(19580405001)(86612001)(1511001)(66066001)(86362001)(5001770100001)(575784001)(86146001)(87936001)(24736003)(54356999)(76176999)(77156002)(107886001)(106466001)(2421001)(106116001)(46406003)(19580395003)(92566002)(62966003)(6806004)(108616004)(2950100001)(102836002)(33646002)(2900100001)(97756001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN3PR03MB1512;H:064-smtp-out.microsoft.com;FPR:;SPF:Pass;MLV:sfv;A:1;MX:1;LANG:en;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR03MB1512;
X-Microsoft-Antispam-PRVS: <BN3PR03MB151243FA996E94183F3B9173BFE80@BN3PR03MB1512.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5002010)(5005006)(3002001);SRVR:BN3PR03MB1512;BCL:0;PCL:0;RULEID:;SRVR:BN3PR03MB1512;
X-Forefront-PRVS: 0560A2214D
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2015 02:57:15.5329
 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;Ip=[206.191.229.116];Helo=[064-smtp-out.microsoft.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB1512
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1771
Lines: 49

> -----Original Message-----
> From: devel [mailto:driverdev-devel-bounces@linuxdriverproject.org] On
> Behalf Of K. Y. Srinivasan
> Sent: Tuesday, April 28, 2015 9:15
> To: davem@davemloft.net; netdev@vger.kernel.org; linux-
> kernel@vger.kernel.org; devel@linuxdriverproject.org; olaf@aepfle.de;
> apw@canonical.com; jasowang@redhat.com
> Subject: [PATCH net 1/1] hv_netvsc: Fix a bug in netvsc_start_xmit()
> 
> Commit commit b08cc79155fc26d0d112b1470d1ece5034651a4b
> eliminated memory
> allocation in the packet send path. This commit introduced a bug since it
> did not account for the case if the skb was cloned. Fix this bug by
> using the pre-reserved head room only if the skb is not cloned.
> 
> Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
> ---
>  drivers/net/hyperv/netvsc_drv.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/net/hyperv/netvsc_drv.c
> b/drivers/net/hyperv/netvsc_drv.c
> index a3a9d38..7eb0251 100644
> --- a/drivers/net/hyperv/netvsc_drv.c
> +++ b/drivers/net/hyperv/netvsc_drv.c
> @@ -421,7 +421,7 @@ check_size:
> 
>  	pkt_sz = sizeof(struct hv_netvsc_packet) + RNDIS_AND_PPI_SIZE;
> 
> -	if (head_room < pkt_sz) {
> +	if (skb->cloned ||  head_room < pkt_sz) {
>  		packet = kmalloc(pkt_sz, GFP_ATOMIC);
>  		if (!packet) {
>  			/* out of memory, drop packet */
> --

Without the patch, the guest can panic due to memory corruption.

I confirm the patch can fix the panic I saw.

Tested-by: Dexuan Cui <decui@microsoft.com>

Thanks,
-- Dexuan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/