From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id 80BCA2A66 for ; Fri, 15 Jul 2016 10:37:11 +0200 (CEST) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga102.jf.intel.com with ESMTP; 15 Jul 2016 01:37:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,367,1464678000"; d="scan'208";a="1007334356" Received: from yliu-dev.sh.intel.com (HELO yliu-dev) ([10.239.67.162]) by fmsmga001.fm.intel.com with ESMTP; 15 Jul 2016 01:37:08 -0700 Date: Fri, 15 Jul 2016 16:40:14 +0800 From: Yuanhan Liu To: Ilya Maximets Cc: dev@dpdk.org, Huawei Xie , Rich Lane , Dyasly Sergey , Heetae Ahn , Jianfeng Tan , Stephen Hemminger , Thomas Monjalon Message-ID: <20160715084014.GE5146@yliu-dev.sh.intel.com> References: <1463748604-27251-1-git-send-email-i.maximets@samsung.com> <1468484319-26906-1-git-send-email-i.maximets@samsung.com> <20160715061724.GD5146@yliu-dev.sh.intel.com> <57888F60.4090206@samsung.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <57888F60.4090206@samsung.com> User-Agent: Mutt/1.5.23 (2014-03-12) Subject: Re: [dpdk-dev] [PATCH v2] vhost: fix segfault on bad descriptor address X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2016 08:37:11 -0000 On Fri, Jul 15, 2016 at 10:23:12AM +0300, Ilya Maximets wrote: > On 15.07.2016 09:17, Yuanhan Liu wrote: > > On Thu, Jul 14, 2016 at 11:18:39AM +0300, Ilya Maximets wrote: > >> In current implementation vhost will crash with segmentation fault > >> if malicious or buggy virtio application breaks addresses of descriptors. > >> > >> Before commit 0823c1cb0a73 this crash was reproducible even with > >> normal DPDK application that tries to change number of virtqueues > >> dynamically inside VM. > >> > >> Fix that by checking addresses of descriptors before using. > >> > >> Also fixed return value on error for 'copy_mbuf_to_desc_mergeable()' > >> from '-1' to '0' because it returns unsigned value and it means > >> number of used descriptors. > > > > Yeah, that's a good fix. Thanks. > > > > Maybe you'd better make it a standalone patch. > > Ok. Maybe I should split this patch in two: > 1. Fix return value + using of this value (vq->last_used_idx += nr_used;) > 2. Check addresses of descriptors. > What do you think? Good to me. > >> Signed-off-by: Ilya Maximets > >> --- > >> Version 2: > >> * Rebased on top of current master. > >> * host's address now checked in meargeable case, > >> because needed refactoring already done. > >> * Commit-message changed because old issue with > >> virtio reload accidentially fixed by commit > >> 0823c1cb0a73. > >> > >> lib/librte_vhost/vhost_rxtx.c | 28 +++++++++++++++++++++------- > >> 1 file changed, 21 insertions(+), 7 deletions(-) > >> > >> diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c > >> index 15ca956..31e8b58 100644 > >> --- a/lib/librte_vhost/vhost_rxtx.c > >> +++ b/lib/librte_vhost/vhost_rxtx.c > >> @@ -147,10 +147,10 @@ copy_mbuf_to_desc(struct virtio_net *dev, struct vhost_virtqueue *vq, > >> struct virtio_net_hdr_mrg_rxbuf virtio_hdr = {{0, 0, 0, 0, 0, 0}, 0}; > >> > >> desc = &vq->desc[desc_idx]; > >> - if (unlikely(desc->len < dev->vhost_hlen)) > >> + desc_addr = gpa_to_vva(dev, desc->addr); > >> + if (unlikely(desc->len < dev->vhost_hlen || !desc_addr)) > >> return -1; > > > > So, you discards the workaround from Rich? > > I can apply it, if you wish. Should I? Yeah, it's hard to tell. The performace regression is weird after all. I'm thinking we should appy it anyway: it saves 10% regression, which is worthwhile. I think we should also add comments there. --yliu