hyperv: Fix page buffer handling in rndis_filter_send_request()
Haiyang Zhang [Tue, 2 Oct 2012 05:30:21 +0000 (05:30 +0000)]
To prevent possible data corruption in RNDIS requests, add another
page buffer if the request message crossed page boundary.

Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

drivers/net/hyperv/rndis_filter.c

index 617eb2e..f25f41e 100644 (file)
@@ -45,7 +45,8 @@ struct rndis_request {
 
        /* Simplify allocation by having a netvsc packet inline */
        struct hv_netvsc_packet pkt;
-       struct hv_page_buffer buf;
+       /* Set 2 pages for rndis requests crossing page boundary */
+       struct hv_page_buffer buf[2];
 
        struct rndis_message request_msg;
        /*
@@ -227,6 +228,18 @@ static int rndis_filter_send_request(struct rndis_device *dev,
        packet->page_buf[0].offset =
                (unsigned long)&req->request_msg & (PAGE_SIZE - 1);
 
+       /* Add one page_buf when request_msg crossing page boundary */
+       if (packet->page_buf[0].offset + packet->page_buf[0].len > PAGE_SIZE) {
+               packet->page_buf_cnt++;
+               packet->page_buf[0].len = PAGE_SIZE -
+                       packet->page_buf[0].offset;
+               packet->page_buf[1].pfn = virt_to_phys((void *)&req->request_msg
+                       + packet->page_buf[0].len) >> PAGE_SHIFT;
+               packet->page_buf[1].offset = 0;
+               packet->page_buf[1].len = req->request_msg.msg_len -
+                       packet->page_buf[0].len;
+       }
+
        packet->completion.send.send_completion_ctx = req;/* packet; */
        packet->completion.send.send_completion =
                rndis_filter_send_request_completion;