From: Michael S. Tsirkin <mst@redhat.com>
Date: Sun, 23 Jun 2013 14:19:03 +0000 (+0300)
Subject: tun: fix recovery from gup errors
X-Git-Tag: firefly_0821_release~3680^2~254^2~8
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7e24bfbe43b545b1689a5f134ed83645b9e34b86;p=firefly-linux-kernel-4.4.55.git

tun: fix recovery from gup errors

get user pages might fail partially in tun zero copy
mode. To recover we need to put all pages that we got,
but code used a wrong index resulting in double-free
errors.

Reported-by: Brad Hubbard <bhubbard@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index bfa9bb48e42d..9c61f8734a40 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1010,8 +1010,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
 			return -EMSGSIZE;
 		num_pages = get_user_pages_fast(base, size, 0, &page[i]);
 		if (num_pages != size) {
-			for (i = 0; i < num_pages; i++)
-				put_page(page[i]);
+			int j;
+
+			for (j = 0; j < num_pages; j++)
+				put_page(page[i + j]);
 			return -EFAULT;
 		}
 		truesize = size * PAGE_SIZE;