[ 3.5.y.z extended stable ] Patch "macvtap: fix recovery from gup errors" has been added to staging queue

[Luis Henriques]

This is a note to let you know that I have just added a patch titled

    macvtap: fix recovery from gup errors

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From f3ad44d723c09f29557beec634986a22565d171b Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst at redhat.com>
Date: Sun, 23 Jun 2013 17:26:58 +0300
Subject: [PATCH] macvtap: fix recovery from gup errors

commit 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 upstream.

get user pages might fail partially in macvtap zero copy
mode. To recover we need to put all pages that we got,
but code used a wrong index resulting in double-free
errors.

Reported-by: Brad Hubbard <bhubbard at redhat.com>
Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
Acked-by: Jason Wang <jasowang at redhat.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 drivers/net/macvtap.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 2ee56de..d566234 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -534,8 +534,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
 			return -EMSGSIZE;
 		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
 		if (num_pages != size) {
-			for (i = 0; i < num_pages; i++)
-				put_page(page[i]);
+			int j;
+
+			for (j = 0; j < num_pages; j++)
+				put_page(page[i + j]);
 			return -EFAULT;
 		}
 		truesize = size * PAGE_SIZE;
--
1.8.1.2