On Fri, Sep 7, 2018 at 2:34 PM Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > 4.9-stable review patch. If anyone has any objections, please let me know. > Do your scripts have a bad hair day ? The subject says 4.18. Guenter > ------------------ > > From: Chirantan Ekbote <chirantan@xxxxxxxxxxxx> > > commit d28c756caee6e414d9ba367d0b92da24145af2a8 upstream. > > The zero-copy optimization when reading or writing large chunks of data > is quite useful. However, the 9p messages created through the zero-copy > write path have an incorrect message size: it should be the size of the > header + size of the data being written but instead it's just the size > of the header. > > This only works if the server ignores the size field of the message and > otherwise breaks the framing of the protocol. Fix this by re-writing the > message size field with the correct value. > > Tested by running `dd if=/dev/zero of=out bs=4k count=1` inside a > virtio-9p mount. > > Link: http://lkml.kernel.org/r/20180717003529.114368-1-chirantan@xxxxxxxxxxxx > Signed-off-by: Chirantan Ekbote <chirantan@xxxxxxxxxxxx> > Reviewed-by: Greg Kurz <groug@xxxxxxxx> > Tested-by: Greg Kurz <groug@xxxxxxxx> > Cc: Dylan Reid <dgreid@xxxxxxxxxxxx> > Cc: Guenter Roeck <groeck@xxxxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Dominique Martinet <dominique.martinet@xxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > net/9p/trans_virtio.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > --- a/net/9p/trans_virtio.c > +++ b/net/9p/trans_virtio.c > @@ -406,6 +406,7 @@ p9_virtio_zc_request(struct p9_client *c > p9_debug(P9_DEBUG_TRANS, "virtio request\n"); > > if (uodata) { > + __le32 sz; > int n = p9_get_mapped_pages(chan, &out_pages, uodata, > outlen, &offs, &need_drop); > if (n < 0) > @@ -416,6 +417,12 @@ p9_virtio_zc_request(struct p9_client *c > memcpy(&req->tc->sdata[req->tc->size - 4], &v, 4); > outlen = n; > } > + /* The size field of the message must include the length of the > + * header and the length of the data. We didn't actually know > + * the length of the data until this point so add it in now. > + */ > + sz = cpu_to_le32(req->tc->size + outlen); > + memcpy(&req->tc->sdata[0], &sz, sizeof(sz)); > } else if (uidata) { > int n = p9_get_mapped_pages(chan, &in_pages, uidata, > inlen, &offs, &need_drop); > >
