diff mbox series

[v3,2/7] vhost: make gpa to hpa failure an error

Message ID 20180627144959.17277-3-maxime.coquelin@redhat.com (mailing list archive)
State Superseded, archived
Delegated to: Maxime Coquelin
Headers
Series vhost: generalize buffer vectors |

Checks

Context Check Description
ci/Intel-compilation success Compilation OK

Commit Message

Maxime Coquelin June 27, 2018, 2:49 p.m. UTC 
  CVE-2018-1059 fix makes sure gpa contiguous memory is
also contiguous in hva space. Incidentally, it also makes
sure it is contiguous in hpa space.

So we can simplify the code by making gpa contiguous memory
discontiguous in hpa space an error.

Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/virtio_net.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

Comments

Tiwei Bie July 3, 2018, 4:45 a.m. UTC | #1 
On Wed, Jun 27, 2018 at 04:49:54PM +0200, Maxime Coquelin wrote:
> CVE-2018-1059 fix makes sure gpa contiguous memory is
> also contiguous in hva space. Incidentally, it also makes
> sure it is contiguous in hpa space.
> 
> So we can simplify the code by making gpa contiguous memory
> discontiguous in hpa space an error.

Does it mean that when guest virtio driver using
gpa contiguous but hpa discontiguous memory, vhost
won't be able to process the corresponding desc?
And in this case, should vhost skip this desc?

Best regards,
Tiwei Bie

> 
> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
> ---
>  lib/librte_vhost/virtio_net.c | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
> index 7e70a927f..ec4bcc400 100644
> --- a/lib/librte_vhost/virtio_net.c
> +++ b/lib/librte_vhost/virtio_net.c
> @@ -884,13 +884,13 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
>  
>  		cpy_len = RTE_MIN(desc_chunck_len, mbuf_avail);
>  
> -		/*
> -		 * A desc buf might across two host physical pages that are
> -		 * not continuous. In such case (gpa_to_hpa returns 0), data
> -		 * will be copied even though zero copy is enabled.
> -		 */
> -		if (unlikely(dev->dequeue_zero_copy && (hpa = gpa_to_hpa(dev,
> -					desc_gaddr + desc_offset, cpy_len)))) {
> +		if (unlikely(dev->dequeue_zero_copy)) {
> +			hpa = gpa_to_hpa(dev,
> +					desc_gaddr + desc_offset, cpy_len);
> +			if (unlikely(!hpa)) {
> +				error = -1;
> +				goto out;
> +			}
>  			cur->data_len = cpy_len;
>  			cur->data_off = 0;
>  			cur->buf_addr = (void *)(uintptr_t)(desc_addr
> -- 
> 2.14.4
>
Maxime Coquelin July 3, 2018, 5:51 a.m. UTC | #2 
On 07/03/2018 06:45 AM, Tiwei Bie wrote:
> On Wed, Jun 27, 2018 at 04:49:54PM +0200, Maxime Coquelin wrote:
>> CVE-2018-1059 fix makes sure gpa contiguous memory is
>> also contiguous in hva space. Incidentally, it also makes
>> sure it is contiguous in hpa space.
>>
>> So we can simplify the code by making gpa contiguous memory
>> discontiguous in hpa space an error.
> 
> Does it mean that when guest virtio driver using
> gpa contiguous but hpa discontiguous memory, vhost
> won't be able to process the corresponding desc?
> And in this case, should vhost skip this desc?

No, I think that's a mistake from my side, I mixed hpa and hva,
and so thought that this case would never happen as we already
manage buffers discontiguous in hva space.

I'll revert to the old behaviour.

Thanks!
Maxime

> Best regards,
> Tiwei Bie
> 
>>
>> Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
>> ---
>>   lib/librte_vhost/virtio_net.c | 14 +++++++-------
>>   1 file changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
>> index 7e70a927f..ec4bcc400 100644
>> --- a/lib/librte_vhost/virtio_net.c
>> +++ b/lib/librte_vhost/virtio_net.c
>> @@ -884,13 +884,13 @@ copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
>>   
>>   		cpy_len = RTE_MIN(desc_chunck_len, mbuf_avail);
>>   
>> -		/*
>> -		 * A desc buf might across two host physical pages that are
>> -		 * not continuous. In such case (gpa_to_hpa returns 0), data
>> -		 * will be copied even though zero copy is enabled.
>> -		 */
>> -		if (unlikely(dev->dequeue_zero_copy && (hpa = gpa_to_hpa(dev,
>> -					desc_gaddr + desc_offset, cpy_len)))) {
>> +		if (unlikely(dev->dequeue_zero_copy)) {
>> +			hpa = gpa_to_hpa(dev,
>> +					desc_gaddr + desc_offset, cpy_len);
>> +			if (unlikely(!hpa)) {
>> +				error = -1;
>> +				goto out;
>> +			}
>>   			cur->data_len = cpy_len;
>>   			cur->data_off = 0;
>>   			cur->buf_addr = (void *)(uintptr_t)(desc_addr
>> -- 
>> 2.14.4
>>
diff mbox series

Patch

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 7e70a927f..ec4bcc400 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -884,13 +884,13 @@  copy_desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
 
 		cpy_len = RTE_MIN(desc_chunck_len, mbuf_avail);
 
-		/*
-		 * A desc buf might across two host physical pages that are
-		 * not continuous. In such case (gpa_to_hpa returns 0), data
-		 * will be copied even though zero copy is enabled.
-		 */
-		if (unlikely(dev->dequeue_zero_copy && (hpa = gpa_to_hpa(dev,
-					desc_gaddr + desc_offset, cpy_len)))) {
+		if (unlikely(dev->dequeue_zero_copy)) {
+			hpa = gpa_to_hpa(dev,
+					desc_gaddr + desc_offset, cpy_len);
+			if (unlikely(!hpa)) {
+				error = -1;
+				goto out;
+			}
 			cur->data_len = cpy_len;
 			cur->data_off = 0;
 			cur->buf_addr = (void *)(uintptr_t)(desc_addr