From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 306BFA0093 for ; Thu, 10 Mar 2022 13:51:24 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 446F74113E; Thu, 10 Mar 2022 13:51:23 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id 4D8314113E for ; Thu, 10 Mar 2022 13:51:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646916680; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BCDNS/DAGwK1zr0sayws/wKL4sEyhDzzUd0qtOd0fwM=; b=IDpkAjToVPYjDjL+dGhxblqXfzO52aSFXYacGnZ6HSBI4rdCKAVVLpdDQjRKRIEUBc4i+e J5b8PUIZeh12sG3nKonZVGEJH//GahhApFHT/8MU5nmxwsR5KRTS4+Ch6Btl9Jk4kYRstA MZ5tSq5zkvxID7A45xdbxex67B8lxN8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-641-0KV_8G0uMQaNeYASKV1zAA-1; Thu, 10 Mar 2022 07:51:19 -0500 X-MC-Unique: 0KV_8G0uMQaNeYASKV1zAA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A8C5B1006AA7; Thu, 10 Mar 2022 12:51:18 +0000 (UTC) Received: from dmarchan.remote.csb (unknown [10.40.194.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2FBE16C950; Thu, 10 Mar 2022 12:51:03 +0000 (UTC) From: David Marchand To: dev@dpdk.org Cc: maxime.coquelin@redhat.com, chenbo.xia@intel.com, stable@dpdk.org, Wenxiang Qian Subject: [PATCH 1/2] vhost: fix queue number check when setting inflight FD Date: Thu, 10 Mar 2022 13:50:58 +0100 Message-Id: <20220310125059.30562-1-david.marchand@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david.marchand@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org From: Chenbo Xia In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue and also make sure virtqueues are allocated before setting inflight information. Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") Cc: stable@dpdk.org Reported-by: Wenxiang Qian Signed-off-by: Chenbo Xia --- lib/vhost/vhost_user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c index 589b950458..1ec4357bee 100644 --- a/lib/vhost/vhost_user.c +++ b/lib/vhost/vhost_user.c @@ -2883,6 +2883,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, case VHOST_USER_SET_VRING_ADDR: vring_idx = ctx->msg.payload.addr.index; break; + case VHOST_USER_SET_INFLIGHT_FD: + vring_idx = ctx->msg.payload.inflight.num_queues - 1; + break; default: return 0; } -- 2.23.0