From patchwork Mon Aug 1 11:53:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudio Fontana X-Patchwork-Id: 114487 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 70FD0A034C; Mon, 1 Aug 2022 13:53:30 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8373442C87; Mon, 1 Aug 2022 13:53:24 +0200 (CEST) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by mails.dpdk.org (Postfix) with ESMTP id 97D9E41101 for ; Mon, 1 Aug 2022 13:53:22 +0200 (CEST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 5FCF73886E; Mon, 1 Aug 2022 11:53:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1659354802; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lyAFjwGptOZMkv2VPGVpLa/BkLU7uY5XyGRPI0RgOPQ=; b=CFZ6yfeCwzxUu6VWNHAow77FnolgCvAiKqYukfctEK8BYMk8XXJwenVEOzULE5bEOSOm8l 1uD5lsBABHA/WPDlWmLZ2qaeaS4HN0yxnic2Tq2d6pQEG5F69e7Ua0h2zbJbefkJDQqbuN N2aZhIokBE/NmKBpzHfABqG6i0dBLOQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1659354802; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lyAFjwGptOZMkv2VPGVpLa/BkLU7uY5XyGRPI0RgOPQ=; b=ieGKmLDJM7xpEGLqN0LF0EVHHz7UMKGWqvvgKQNvq62ScwymNp3BXWO7HKCu/nQKzFQVUU WyOkjIr3tQvD/dBw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 4058513AAE; Mon, 1 Aug 2022 11:53:22 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 0PAXDrK+52L5DQAAMHmgww (envelope-from ); Mon, 01 Aug 2022 11:53:22 +0000 From: Claudio Fontana To: dev@dpdk.org Cc: Claudio Fontana Subject: [PATCH 1/2] vhost: fix error handling in virtio_dev_tx_split Date: Mon, 1 Aug 2022 13:53:19 +0200 Message-Id: <20220801115320.17186-2-cfontana@suse.de> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20220801115320.17186-1-cfontana@suse.de> References: <20220801115320.17186-1-cfontana@suse.de> MIME-Version: 1.0 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org in virtio_dev_split we add a check for invalid nr_vec, mainly for nr_vec == 0 (but add a check for BUF_VECTOR_MAX too), and bail out before calling desc_to_mbuf, otherwise in desc_to_mbuf we end up trying to memcpy from a source address buf_vec[0] that is an uninitialized stack variable. This should fix errors that have been reported in multiple occasions from telcos to the DPDK, OVS and QEMU projects, as this affects in particular the openvswitch/DPDK, QEMU vhost-user setup. The back trace looks roughly like this, depending on the specific rte_memcpy selected, etc, in any case the "src" parameter is garbage (in this example containing 0 + dev->host_hlen(12 = 0xc)). Thread 153 "pmd-c88/id:150" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f64e5e6b700 (LWP 141373)] rte_mov128blocks (n=2048, src=0xc , dst=0x150da4480) at ../lib/eal/x86/include/rte_memcpy.h:384 (gdb) bt 0 rte_mov128blocks (n=2048, src=0xc, dst=0x150da4480) 1 rte_memcpy_generic (n=2048, src=0xc, dst=0x150da4480) 2 rte_memcpy (n=2048, src=0xc, dst=) 3 sync_fill_seg 4 desc_to_mbuf 5 virtio_dev_tx_split 6 virtio_dev_tx_split_legacy 7 0x00007f676fea0fef in rte_vhost_dequeue_burst 8 0x00007f6772005a62 in netdev_dpdk_vhost_rxq_recv 9 0x00007f6771f38116 in netdev_rxq_recv 10 0x00007f6771f03d96 in dp_netdev_process_rxq_port 11 0x00007f6771f04239 in pmd_thread_main 12 0x00007f6771f92aff in ovsthread_wrapper 13 0x00007f6771c1b6ea in start_thread 14 0x00007f6771933a8f in clone Tested-by: Claudio Fontana Signed-off-by: Claudio Fontana --- lib/vhost/virtio_net.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c index 35fa4670fd..0b8db2046e 100644 --- a/lib/vhost/virtio_net.c +++ b/lib/vhost/virtio_net.c @@ -2917,9 +2917,16 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq, vq->last_avail_idx + i, &nr_vec, buf_vec, &head_idx, &buf_len, - VHOST_ACCESS_RO) < 0)) + VHOST_ACCESS_RO) < 0)) { + dropped += 1; + i++; break; - + } + if (unlikely(nr_vec < 1 || nr_vec >= BUF_VECTOR_MAX)) { + dropped += 1; + i++; + break; + } update_shadow_used_ring_split(vq, head_idx, 0); err = virtio_dev_pktmbuf_prep(dev, pkts[i], buf_len); From patchwork Mon Aug 1 11:53:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Claudio Fontana X-Patchwork-Id: 114488 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id ADD5BA034C; Mon, 1 Aug 2022 13:53:34 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7DD8742C8D; Mon, 1 Aug 2022 13:53:25 +0200 (CEST) Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by mails.dpdk.org (Postfix) with ESMTP id BCC074067B for ; Mon, 1 Aug 2022 13:53:22 +0200 (CEST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 879EE3F78E; Mon, 1 Aug 2022 11:53:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1659354802; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yCfo4A7/ivvF/GEbzMGWfIL6j3IKV4R2eDpYtTAE/S0=; b=c+W3++lPketeYZRaVjD6U0Aznrga7r+kBz5hAP/qjvFg8J3gvu0RAjWWyKAdOzbZ0nIWBR xd4JM6y1mdSRbO2vsWmfUaEpFbJpLvDMAHfQinQnKgfC974f9tQkskjWLyGImgCiyjwUW0 YNKRkiyHYXbpIl7skkPAmO2m8n8h+E8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1659354802; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yCfo4A7/ivvF/GEbzMGWfIL6j3IKV4R2eDpYtTAE/S0=; b=bL1Yrr8haMUg5+pd5geB+yE4s5n8ZqEyzZKokIM4tCTJuhcXeWHBV0tw/F2kPy9ONuFZ1f 13rE72+sW0N19/Bw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 67DD413AAE; Mon, 1 Aug 2022 11:53:22 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id eJu7F7K+52L5DQAAMHmgww (envelope-from ); Mon, 01 Aug 2022 11:53:22 +0000 From: Claudio Fontana To: dev@dpdk.org Cc: Claudio Fontana Subject: [PATCH 2/2] vhost: improve error handling in desc_to_mbuf Date: Mon, 1 Aug 2022 13:53:20 +0200 Message-Id: <20220801115320.17186-3-cfontana@suse.de> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20220801115320.17186-1-cfontana@suse.de> References: <20220801115320.17186-1-cfontana@suse.de> MIME-Version: 1.0 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org check when increasing vec_idx that it is still valid in the (buf_len < dev->vhost_hlen) case too. Signed-off-by: Claudio Fontana --- lib/vhost/virtio_net.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c index 0b8db2046e..6d34feaf73 100644 --- a/lib/vhost/virtio_net.c +++ b/lib/vhost/virtio_net.c @@ -2701,12 +2701,15 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq, if (unlikely(buf_len < dev->vhost_hlen)) { buf_offset = dev->vhost_hlen - buf_len; vec_idx++; + if (unlikely(vec_idx >= nr_vec)) + goto error; buf_addr = buf_vec[vec_idx].buf_addr; buf_iova = buf_vec[vec_idx].buf_iova; buf_len = buf_vec[vec_idx].buf_len; buf_avail = buf_len - buf_offset; } else if (buf_len == dev->vhost_hlen) { - if (unlikely(++vec_idx >= nr_vec)) + vec_idx++; + if (unlikely(vec_idx >= nr_vec)) goto error; buf_addr = buf_vec[vec_idx].buf_addr; buf_iova = buf_vec[vec_idx].buf_iova;