From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by dpdk.space (Postfix) with ESMTP id BF15CA05D3
	for <public@inbox.dpdk.org>; Wed, 27 Mar 2019 19:32:28 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 943B358C4;
	Wed, 27 Mar 2019 19:32:28 +0100 (CET)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com
 (mail-eopbgr20075.outbound.protection.outlook.com [40.107.2.75])
 by dpdk.org (Postfix) with ESMTP id 6065058C4
 for <stable@dpdk.org>; Wed, 27 Mar 2019 19:32:27 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Gv/K4zIDjNZyLhc+SzicWJ0oAnkXdcbkM4c7YPTmJXI=;
 b=SSbZnQ0EZ/KzT+9ASWiBlS0bnjayXOm/s0xCyk1uCVA6YLbhbK/EnEJlB6KYgGjN0UzCVQh1AZBRw5ejaDkNLlMcM3BkA9gX/9LA2//kTTP41odpMaV2Iclxtqubfx2Kgl2U4BJuazFC1jvowJV33Ea77pbCVBQMe2WZ9aME8dM=
Received: from DB3PR0502MB3980.eurprd05.prod.outlook.com (52.134.72.27) by
 DB3PR0502MB4073.eurprd05.prod.outlook.com (52.134.68.156) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1730.18; Wed, 27 Mar 2019 18:32:24 +0000
Received: from DB3PR0502MB3980.eurprd05.prod.outlook.com
 ([fe80::6072:43be:7c2d:103a]) by DB3PR0502MB3980.eurprd05.prod.outlook.com
 ([fe80::6072:43be:7c2d:103a%3]) with mapi id 15.20.1750.014; Wed, 27 Mar 2019
 18:32:24 +0000
From: Yongseok Koh <yskoh@mellanox.com>
To: Tiwei Bie <tiwei.bie@intel.com>
CC: "stable@dpdk.org" <stable@dpdk.org>, "maxime.coquelin@redhat.com"
 <maxime.coquelin@redhat.com>, "zhihong.wang@intel.com"
 <zhihong.wang@intel.com>
Thread-Topic: [PATCH 17.11] vhost: fix access for indirect descriptors
Thread-Index: AQHU2xClYgmM6IIb9EmtI+FkPKady6Yf4LWA
Date: Wed, 27 Mar 2019 18:32:24 +0000
Message-ID: <44906910-6D2D-4E50-AD5D-A2FE17E6535F@mellanox.com>
References: <20190315092132.4106-1-tiwei.bie@intel.com>
In-Reply-To: <20190315092132.4106-1-tiwei.bie@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=yskoh@mellanox.com; 
x-originating-ip: [209.116.155.178]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4e8685e7-687e-4a8c-707f-08d6b2e28ed8
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0;
 RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020);
 SRVR:DB3PR0502MB4073; 
x-ms-traffictypediagnostic: DB3PR0502MB4073:
x-microsoft-antispam-prvs: <DB3PR0502MB4073769E93A804AA496040F2C3580@DB3PR0502MB4073.eurprd05.prod.outlook.com>
x-forefront-prvs: 0989A7979C
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(39860400002)(376002)(136003)(346002)(396003)(366004)(199004)(189003)(6246003)(11346002)(256004)(6486002)(99286004)(86362001)(83716004)(66066001)(14444005)(229853002)(36756003)(6436002)(14454004)(7736002)(305945005)(186003)(316002)(54906003)(53936002)(71190400001)(6512007)(82746002)(26005)(105586002)(81166006)(2616005)(81156014)(4326008)(25786009)(486006)(8936002)(476003)(8676002)(102836004)(5660300002)(478600001)(6916009)(6506007)(97736004)(33656002)(446003)(2906002)(68736007)(3846002)(53546011)(6116002)(71200400001)(76176011)(106356001);
 DIR:OUT; SFP:1101; SCL:1; SRVR:DB3PR0502MB4073;
 H:DB3PR0502MB3980.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en;
 PTR:InfoNoRecords; A:1; MX:1; 
received-spf: None (protection.outlook.com: mellanox.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: u9GXYVXrIJ4YDxNTFkQQmv9Ld3NASaH9JD4n2afwp/9I0H6wXpTwe4FZvgdv82k2ohY/HgQ0Z4JAy8cpMFAhQPvmSM6i59Rtdiht0SVpwoP3etwyPAlaFBSJFVoJuTGk14Yp67NfUf8BjQ/GTvXOPLTUxErwQBNQjv1HL46znIrI51U9SyVQUkE9AH4QSvGAV5TC0e5WP5RzEN6UqLSh/61YDwMy02ThqxZU+zDtQVcplHtVm5HWS9NPUFAt6q+SP5JIGHkYjzPtAB+LRVZtz8YfBe+9CxAmJdzn9YSGyAjVAU5FVRhnlUS/zxmAnSuIfGQUYbWTvT2fLxZ7K3BVdLwyhYYQo/eUCf5Nd5CSgjZZxGQx+xO+XuHebDCICspBC+B5Mbq9irMU9VmV5zGkhDDtVCfcRhEScDD59ybSE5A=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <553A7E669261AA4A8667B628392C8113@eurprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: Mellanox.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e8685e7-687e-4a8c-707f-08d6b2e28ed8
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 18:32:24.7005 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR0502MB4073
Subject: Re: [dpdk-stable] [PATCH 17.11] vhost: fix access for indirect
	descriptors
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>


> On Mar 15, 2019, at 2:21 AM, Tiwei Bie <tiwei.bie@intel.com> wrote:
>=20
> [ backported from upstream commit 48006390003b81f6d5c7b78e3f02ed49d104994=
5 ]
>=20
> Fix a possible out of bound access which may happen when handling
> indirect descs in split ring.
>=20
> Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx"=
)
>=20
> Reported-by: Haiyue Wang <haiyue.wang@intel.com>
> Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
> ---

applied to stable/17.11

Thanks,
Yongseok

> lib/librte_vhost/virtio_net.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>=20
> diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.=
c
> index 3e2935992..07d4609ee 100644
> --- a/lib/librte_vhost/virtio_net.c
> +++ b/lib/librte_vhost/virtio_net.c
> @@ -565,6 +565,7 @@ fill_vec_buf(struct virtio_net *dev, struct vhost_vir=
tqueue *vq,
> 	uint16_t idx =3D vq->avail->ring[avail_idx & (vq->size - 1)];
> 	uint32_t vec_id =3D *vec_idx;
> 	uint32_t len    =3D 0;
> +	uint32_t nr_descs =3D vq->size;
> 	uint64_t dlen;
> 	struct vring_desc *descs =3D vq->desc;
> 	struct vring_desc *idesc =3D NULL;
> @@ -576,6 +577,7 @@ fill_vec_buf(struct virtio_net *dev, struct vhost_vir=
tqueue *vq,
>=20
> 	if (vq->desc[idx].flags & VRING_DESC_F_INDIRECT) {
> 		dlen =3D vq->desc[idx].len;
> +		nr_descs =3D dlen / sizeof(struct vring_desc);
> 		descs =3D (struct vring_desc *)(uintptr_t)
> 			vhost_iova_to_vva(dev, vq, vq->desc[idx].addr,
> 						&dlen,
> @@ -599,7 +601,7 @@ fill_vec_buf(struct virtio_net *dev, struct vhost_vir=
tqueue *vq,
> 	}
>=20
> 	while (1) {
> -		if (unlikely(vec_id >=3D BUF_VECTOR_MAX || idx >=3D vq->size)) {
> +		if (unlikely(vec_id >=3D BUF_VECTOR_MAX || idx >=3D nr_descs)) {
> 			free_ind_table(idesc);
> 			return -1;
> 		}
> --=20
> 2.17.1
>=20