[dpdk-stable] patch 'vhost: fix possible dead loop in vector filling' has been queued to LTS release 18.11.1

Kevin Traynor ktraynor at redhat.com
Thu Jan 31 16:48:34 CET 2019

Previous message: [dpdk-stable] patch 'vhost: fix possible out of bound access in vector filling' has been queued to LTS release 18.11.1
Next message: [dpdk-stable] patch 'vhost: ensure event idx is mapped when negotiated' has been queued to LTS release 18.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to LTS release 18.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/07/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Kevin Traynor

---
>From ef846dc5243732117953303e500f29d7386611f2 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie at intel.com>
Date: Fri, 4 Jan 2019 12:06:41 +0800
Subject: [PATCH] vhost: fix possible dead loop in vector filling

[ upstream commit 450539b47ec89bcb49973a24b4c85c5f0bc8f37b ]

Fix a possible dead loop which may happen, e.g. when driver
created a loop in the desc list and lens in descs are zero.

Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")

Signed-off-by: Tiwei Bie <tiwei.bie at intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 lib/librte_vhost/virtio_net.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 8ddee4ca5..ed9c0847f 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -336,4 +336,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	uint32_t len    = 0;
 	uint64_t dlen;
+	uint32_t nr_descs = vq->size;
 	struct vring_desc *descs = vq->desc;
 	struct vring_desc *idesc = NULL;
@@ -346,4 +347,8 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	if (vq->desc[idx].flags & VRING_DESC_F_INDIRECT) {
 		dlen = vq->desc[idx].len;
+		nr_descs = dlen / sizeof(struct vring_desc);
+		if (unlikely(nr_descs > vq->size))
+			return -1;
+
 		descs = (struct vring_desc *)(uintptr_t)
 			vhost_iova_to_vva(dev, vq, vq->desc[idx].addr,
@@ -375,4 +380,9 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 		}
 
+		if (unlikely(nr_descs-- == 0)) {
+			free_ind_table(idesc);
+			return -1;
+		}
+
 		len += descs[idx].len;
 
@@ -537,4 +547,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			return -1;
 
+		if (unlikely(*desc_count >= vq->size))
+			return -1;
+
 		*desc_count += 1;
 		*buf_id = descs[avail_idx].id;
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-01-31 15:44:06.352457433 +0000
+++ 0026-vhost-fix-possible-dead-loop-in-vector-filling.patch	2019-01-31 15:44:05.000000000 +0000
@@ -1,14 +1,15 @@
-From 450539b47ec89bcb49973a24b4c85c5f0bc8f37b Mon Sep 17 00:00:00 2001
+From ef846dc5243732117953303e500f29d7386611f2 Mon Sep 17 00:00:00 2001
 From: Tiwei Bie <tiwei.bie at intel.com>
 Date: Fri, 4 Jan 2019 12:06:41 +0800
 Subject: [PATCH] vhost: fix possible dead loop in vector filling
 
+[ upstream commit 450539b47ec89bcb49973a24b4c85c5f0bc8f37b ]
+
 Fix a possible dead loop which may happen, e.g. when driver
 created a loop in the desc list and lens in descs are zero.
 
 Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
 Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")
-Cc: stable at dpdk.org
 
 Signed-off-by: Tiwei Bie <tiwei.bie at intel.com>
 Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
@@ -17,16 +18,16 @@
  1 file changed, 13 insertions(+)
 
 diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index d64c355b9..0893a1d04 100644
+index 8ddee4ca5..ed9c0847f 100644
 --- a/lib/librte_vhost/virtio_net.c
 +++ b/lib/librte_vhost/virtio_net.c
-@@ -310,4 +310,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -336,4 +336,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  	uint32_t len    = 0;
  	uint64_t dlen;
 +	uint32_t nr_descs = vq->size;
  	struct vring_desc *descs = vq->desc;
  	struct vring_desc *idesc = NULL;
-@@ -320,4 +321,8 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -346,4 +347,8 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  	if (vq->desc[idx].flags & VRING_DESC_F_INDIRECT) {
  		dlen = vq->desc[idx].len;
 +		nr_descs = dlen / sizeof(struct vring_desc);
@@ -35,7 +36,7 @@
 +
  		descs = (struct vring_desc *)(uintptr_t)
  			vhost_iova_to_vva(dev, vq, vq->desc[idx].addr,
-@@ -349,4 +354,9 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -375,4 +380,9 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  		}
  
 +		if (unlikely(nr_descs-- == 0)) {
@@ -45,7 +46,7 @@
 +
  		len += descs[idx].len;
  
-@@ -511,4 +521,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -537,4 +547,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
  			return -1;
  
 +		if (unlikely(*desc_count >= vq->size))

Previous message: [dpdk-stable] patch 'vhost: fix possible out of bound access in vector filling' has been queued to LTS release 18.11.1
Next message: [dpdk-stable] patch 'vhost: ensure event idx is mapped when negotiated' has been queued to LTS release 18.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list