[PATCH v2] vhost: fix avail idx update error when desc copy failed

[Gaoxiang Liu]

Hi，Chenbo


If vhost driver receives a mbuf list，the mbuf list has two mbuf，
and the pkt_len of the first mbuf in the mbuf list is the sum of data_len of all mbuf，and the pkt_len of the second mbuf is 0.
When desc_to_mbuf failed，i added 1 and last_avail_idx added i.

It may cause the first mbuf to be dropped and the second mbuf to be received.
It is abnormal，because the received mbuf is not
complete due to lack of the first mbuf，and its pkt_len is 0.
Because the sender sends a normal mbuf-list packet，the vhost app receives the mbuf and considers it should be a normal pkt.
The pkt_len is used ，but is not checked，when the vhost app calculates the checksum of the pkt.
The pkt_len minus the length of the UDP header is a large value because of the negative number reverse.
It results in segment fault when the vhost app uses the large value to traverse the mbuf ，if the address of the mbuf is largest in all mbuf，because the vhost app may access invalid memory .


Thanks.
Gaoxiang







---- Replied Message ----
| From | Xia, Chenbo<chenbo.xia at intel.com> |
| Date | 07/01/2022 21:05 |
| To | Gaoxiang Liu<gaoxiangliu0 at 163.com>,
maxime.coquelin at redhat.com<maxime.coquelin at redhat.com> |
| Cc | dev at dpdk.org<dev at dpdk.org>,
liugaoxiang at huawei.com<liugaoxiang at huawei.com>,
stable at dpdk.org<stable at dpdk.org> |
| Subject | RE: [PATCH v2] vhost: fix avail idx update error when desc copy failed |
> -----Original Message-----
> From: Gaoxiang Liu <gaoxiangliu0 at 163.com>
> Sent: Wednesday, June 22, 2022 9:20 AM
> To: maxime.coquelin at redhat.com; Xia, Chenbo <chenbo.xia at intel.com>
> Cc: dev at dpdk.org; liugaoxiang at huawei.com; Gaoxiang Liu
> <gaoxiangliu0 at 163.com>; stable at dpdk.org
> Subject: [PATCH v2] vhost: fix avail idx update error when desc copy
> failed
>
> When copy_desc_to_mbuf function failed, i added 1.

Function name now is desc_to_mbuf

> And last_avail_idx added i, other than i - 1.
> It may cause that the first mbuf in mbuf-list is dropped,
> the second mbuf in mbuf-list is received in the following
> rx procedure.
> And The pkt_len of the second mbuf is zero, resulting in
> segment fault when parsing the mbuf.

Could you help elaborate more? Do you mean first mbuf len is zero
as it's dropped? And where does the segfault happen? APP? Please
describe more to help understand the issue.

But I do notice one problem here is if vhost APP does not handle
the mbuf array correctly, some packets will be missed in the case
of pkts got dropped in the middle of a burst.

Thanks,
Chenbo

>
> Fixes: 0fd5608ef97f ("vhost: handle mbuf allocation failure")
> Cc: stable at dpdk.org
>
> Signed-off-by: Gaoxiang Liu <liugaoxiang at huawei.com>
>
> ---
> v2:
> * Fixed other idx update errors.
> ---
>  lib/vhost/virtio_net.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
> index 68a26eb17d..eb254e1024 100644
> --- a/lib/vhost/virtio_net.c
> +++ b/lib/vhost/virtio_net.c
> @@ -2850,11 +2850,11 @@ virtio_dev_tx_split(struct virtio_net *dev, struct
> vhost_virtqueue *vq,
>      if (dropped)
>          rte_pktmbuf_free_bulk(&pkts[i - 1], count - i + 1);
>
> -    vq->last_avail_idx += i;
> +    vq->last_avail_idx += i - dropped;
>
>      do_data_copy_dequeue(vq);
> -    if (unlikely(i < count))
> -        vq->shadow_used_idx = i;
> +    if (unlikely((i - dropped) < count))
> +        vq->shadow_used_idx = i - dropped;
>      if (likely(vq->shadow_used_idx)) {
>          flush_shadow_used_ring_split(dev, vq);
>          vhost_vring_call_split(dev, vq);
> --
> 2.32.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/stable/attachments/20220702/c2e2433f/attachment.htm>