From f2452d28602c2de1d69d5ca2e34e6771374414a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 16 Dec 2015 05:19:37 +0100 Subject: [PATCH] xen-netfront: do not use data already exposed to backend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backend may freely modify anything on shared page, so use data which was supposed to be written there, instead of reading it back from the shared page. This is part of XSA155. CC: stable@vger.kernel.org Signed-off-by: Marek Marczykowski-Górecki --- drivers/net/xen-netfront.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index abb9b3cd87b8..56c8a4a32672 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -456,7 +456,7 @@ static void xennet_tx_setup_grant(unsigned long gfn, unsigned int offset, tx->flags = 0; info->tx = tx; - info->size += tx->size; + info->size += len; } static struct xen_netif_tx_request *xennet_make_first_txreq( @@ -572,7 +572,7 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev int slots; struct page *page; unsigned int offset; - unsigned int len; + unsigned int len, this_len; unsigned long flags; struct netfront_queue *queue = NULL; unsigned int num_queues = dev->real_num_tx_queues; @@ -632,14 +632,15 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev } /* First request for the linear area. */ + this_len = min_t(unsigned int, XEN_PAGE_SIZE - offset, len); first_tx = tx = xennet_make_first_txreq(queue, skb, page, offset, len); - offset += tx->size; + offset += this_len; if (offset == PAGE_SIZE) { page++; offset = 0; } - len -= tx->size; + len -= this_len; if (skb->ip_summed == CHECKSUM_PARTIAL) /* local packet? */ -- 2.21.0