From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ktraynor@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 9AB1D1B104
 for <stable@dpdk.org>; Wed, 21 Nov 2018 17:06:43 +0100 (CET)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 0A1D658E3B;
 Wed, 21 Nov 2018 16:06:43 +0000 (UTC)
Received: from ktraynor.remote.csb (unknown [10.36.118.7])
 by smtp.corp.redhat.com (Postfix) with ESMTP id EA2D35F7D9;
 Wed, 21 Nov 2018 16:06:41 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Jiayu Hu <jiayu.hu@intel.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>, dpdk stable <stable@dpdk.org>
Date: Wed, 21 Nov 2018 16:04:27 +0000
Message-Id: <20181121160440.9014-37-ktraynor@redhat.com>
In-Reply-To: <20181121160440.9014-1-ktraynor@redhat.com>
References: <20181121160440.9014-1-ktraynor@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.39]); Wed, 21 Nov 2018 16:06:43 +0000 (UTC)
Subject: [dpdk-stable] patch 'vhost: fix corner case for enqueue operation'
	has been queued to stable release 18.08.1
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 16:06:44 -0000

Hi,

FYI, your patch has been queued to stable release 18.08.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/26/18. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the patch applied
to the branch. If the code is different (ie: not only metadata diffs), due for example to
a change in context or macro names, please double check it.

Thanks.

Kevin Traynor

---
>>From 2f83697cdf5095d1b553240c45a1a229d4c44c3b Mon Sep 17 00:00:00 2001
From: Jiayu Hu <jiayu.hu@intel.com>
Date: Mon, 17 Sep 2018 11:54:42 +0800
Subject: [PATCH] vhost: fix corner case for enqueue operation

[ upstream commit 729199397f9fc4ba265e94d492c792244e8c364b ]

When performing enqueue operations on the split and packed rings,
if the reserved buffer length from the descriptor table exceeds
65535, the returned length by fill_vec_buf_split/_packed()
overflows. This patch is to avoid this corner case.

Fixes: f689586bc060 ("vhost: shadow used ring update")
Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")
Fixes: 37f5e79a271d ("vhost: add shadow used ring support for packed rings")
Fixes: a922401f35cc ("vhost: add Rx support for packed ring")
Fixes: ae999ce49dcb ("vhost: add Tx support for packed ring")

Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/virtio_net.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 4bfae76a6..f8794ee19 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -123,5 +123,5 @@ flush_shadow_used_ring_split(struct virtio_net *dev, struct vhost_virtqueue *vq)
 static __rte_always_inline void
 update_shadow_used_ring_split(struct vhost_virtqueue *vq,
-			 uint16_t desc_idx, uint16_t len)
+			 uint16_t desc_idx, uint32_t len)
 {
 	uint16_t i = vq->shadow_used_idx++;
@@ -187,5 +187,5 @@ flush_shadow_used_ring_packed(struct virtio_net *dev,
 static __rte_always_inline void
 update_shadow_used_ring_packed(struct vhost_virtqueue *vq,
-			 uint16_t desc_idx, uint16_t len, uint16_t count)
+			 uint16_t desc_idx, uint32_t len, uint16_t count)
 {
 	uint16_t i = vq->shadow_used_idx++;
@@ -330,5 +330,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			 uint32_t avail_idx, uint16_t *vec_idx,
 			 struct buf_vector *buf_vec, uint16_t *desc_chain_head,
-			 uint16_t *desc_chain_len, uint8_t perm)
+			 uint32_t *desc_chain_len, uint8_t perm)
 {
 	uint16_t idx = vq->avail->ring[avail_idx & (vq->size - 1)];
@@ -410,5 +410,5 @@ reserve_avail_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 
 	uint16_t head_idx = 0;
-	uint16_t len = 0;
+	uint32_t len = 0;
 
 	*num_buffers = 0;
@@ -453,5 +453,5 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev,
 			struct vhost_virtqueue *vq,
 			struct vring_packed_desc *desc, uint16_t *vec_idx,
-			struct buf_vector *buf_vec, uint16_t *len, uint8_t perm)
+			struct buf_vector *buf_vec, uint32_t *len, uint8_t perm)
 {
 	uint16_t i;
@@ -509,5 +509,5 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 				uint16_t avail_idx, uint16_t *desc_count,
 				struct buf_vector *buf_vec, uint16_t *vec_idx,
-				uint16_t *buf_id, uint16_t *len, uint8_t perm)
+				uint16_t *buf_id, uint32_t *len, uint8_t perm)
 {
 	bool wrap_counter = vq->avail_wrap_counter;
@@ -574,5 +574,5 @@ reserve_avail_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 
 	uint16_t buf_id = 0;
-	uint16_t len = 0;
+	uint32_t len = 0;
 	uint16_t desc_count;
 
@@ -1380,5 +1380,6 @@ virtio_dev_tx_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	for (i = 0; i < count; i++) {
 		struct buf_vector buf_vec[BUF_VECTOR_MAX];
-		uint16_t head_idx, dummy_len;
+		uint16_t head_idx;
+		uint32_t dummy_len;
 		uint16_t nr_vec = 0;
 		int err;
@@ -1487,5 +1488,6 @@ virtio_dev_tx_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	for (i = 0; i < count; i++) {
 		struct buf_vector buf_vec[BUF_VECTOR_MAX];
-		uint16_t buf_id, dummy_len;
+		uint16_t buf_id;
+		uint32_t dummy_len;
 		uint16_t desc_count, nr_vec = 0;
 		int err;
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2018-11-21 15:59:14.562575328 +0000
+++ 0037-vhost-fix-corner-case-for-enqueue-operation.patch	2018-11-21 15:59:13.000000000 +0000
@@ -1,8 +1,10 @@
-From 729199397f9fc4ba265e94d492c792244e8c364b Mon Sep 17 00:00:00 2001
+From 2f83697cdf5095d1b553240c45a1a229d4c44c3b Mon Sep 17 00:00:00 2001
 From: Jiayu Hu <jiayu.hu@intel.com>
 Date: Mon, 17 Sep 2018 11:54:42 +0800
 Subject: [PATCH] vhost: fix corner case for enqueue operation
 
+[ upstream commit 729199397f9fc4ba265e94d492c792244e8c364b ]
+
 When performing enqueue operations on the split and packed rings,
 if the reserved buffer length from the descriptor table exceeds
 65535, the returned length by fill_vec_buf_split/_packed()
@@ -14,7 +16,6 @@
 Fixes: 37f5e79a271d ("vhost: add shadow used ring support for packed rings")
 Fixes: a922401f35cc ("vhost: add Rx support for packed ring")
 Fixes: ae999ce49dcb ("vhost: add Tx support for packed ring")
-Cc: stable@dpdk.org
 
 Signed-off-by: Jiayu Hu <jiayu.hu@intel.com>
 Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>