diff options
author | Haiyang Zhang | 2012-10-02 05:30:21 +0000 |
---|---|---|
committer | David S. Miller | 2012-10-02 14:39:30 -0400 |
commit | 99e3fcfa34e7ea6dbb44fe5df51b79ccb6f73d3d (patch) | |
tree | e0e136763a441634457ca136522606ce53c8c271 /drivers/net | |
parent | ea4963745f712a746ccb45871a22e0814141a891 (diff) |
hyperv: Fix page buffer handling in rndis_filter_send_request()
To prevent possible data corruption in RNDIS requests, add another
page buffer if the request message crossed page boundary.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net')
-rw-r--r-- | drivers/net/hyperv/rndis_filter.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c index 617eb2e4b06e..f25f41e1fdb7 100644 --- a/drivers/net/hyperv/rndis_filter.c +++ b/drivers/net/hyperv/rndis_filter.c @@ -45,7 +45,8 @@ struct rndis_request { /* Simplify allocation by having a netvsc packet inline */ struct hv_netvsc_packet pkt; - struct hv_page_buffer buf; + /* Set 2 pages for rndis requests crossing page boundary */ + struct hv_page_buffer buf[2]; struct rndis_message request_msg; /* @@ -227,6 +228,18 @@ static int rndis_filter_send_request(struct rndis_device *dev, packet->page_buf[0].offset = (unsigned long)&req->request_msg & (PAGE_SIZE - 1); + /* Add one page_buf when request_msg crossing page boundary */ + if (packet->page_buf[0].offset + packet->page_buf[0].len > PAGE_SIZE) { + packet->page_buf_cnt++; + packet->page_buf[0].len = PAGE_SIZE - + packet->page_buf[0].offset; + packet->page_buf[1].pfn = virt_to_phys((void *)&req->request_msg + + packet->page_buf[0].len) >> PAGE_SHIFT; + packet->page_buf[1].offset = 0; + packet->page_buf[1].len = req->request_msg.msg_len - + packet->page_buf[0].len; + } + packet->completion.send.send_completion_ctx = req;/* packet; */ packet->completion.send.send_completion = rndis_filter_send_request_completion; |