| From 837585a5375c38d40361cfe64e6fd11e1addb936 Mon Sep 17 00:00:00 2001 |
| From: Willem de Bruijn <willemb@google.com> |
| Date: Fri, 3 Feb 2017 18:20:49 -0500 |
| Subject: [PATCH] macvtap: read vnet_hdr_size once |
| |
| commit 837585a5375c38d40361cfe64e6fd11e1addb936 upstream. |
| |
| When IFF_VNET_HDR is enabled, a virtio_net header must precede data. |
| Data length is verified to be greater than or equal to expected header |
| length tun->vnet_hdr_sz before copying. |
| |
| Macvtap functions read the value once, but unless READ_ONCE is used, |
| the compiler may ignore this and read multiple times. Enforce a single |
| read and locally cached value to avoid updates between test and use. |
| |
| Signed-off-by: Willem de Bruijn <willemb@google.com> |
| Suggested-by: Eric Dumazet <edumazet@google.com> |
| Acked-by: Eric Dumazet <edumazet@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| |
| diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c |
| index 402618565838..c27011bbe30c 100644 |
| --- a/drivers/net/macvtap.c |
| +++ b/drivers/net/macvtap.c |
| @@ -681,7 +681,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, |
| size_t linear; |
| |
| if (q->flags & IFF_VNET_HDR) { |
| - vnet_hdr_len = q->vnet_hdr_sz; |
| + vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); |
| |
| err = -EINVAL; |
| if (len < vnet_hdr_len) |
| @@ -820,7 +820,7 @@ static ssize_t macvtap_put_user(struct macvtap_queue *q, |
| |
| if (q->flags & IFF_VNET_HDR) { |
| struct virtio_net_hdr vnet_hdr; |
| - vnet_hdr_len = q->vnet_hdr_sz; |
| + vnet_hdr_len = READ_ONCE(q->vnet_hdr_sz); |
| if (iov_iter_count(iter) < vnet_hdr_len) |
| return -EINVAL; |
| |
| -- |
| 2.12.0 |
| |
