From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ktraynor@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 760051B460
 for <stable@dpdk.org>; Thu, 31 Jan 2019 16:50:24 +0100 (CET)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id AE639C05167B;
 Thu, 31 Jan 2019 15:50:23 +0000 (UTC)
Received: from ktraynor.remote.csb (ovpn-117-200.ams2.redhat.com
 [10.36.117.200])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 277DD5C21F;
 Thu, 31 Jan 2019 15:50:21 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Tiwei Bie <tiwei.bie@intel.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>, dpdk stable <stable@dpdk.org>
Date: Thu, 31 Jan 2019 15:48:34 +0000
Message-Id: <20190131154901.5383-26-ktraynor@redhat.com>
In-Reply-To: <20190131154901.5383-1-ktraynor@redhat.com>
References: <20190131154901.5383-1-ktraynor@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.31]); Thu, 31 Jan 2019 15:50:23 +0000 (UTC)
Subject: [dpdk-stable] patch 'vhost: fix possible dead loop in vector
	filling' has been queued to LTS release 18.11.1
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 15:50:24 -0000

Hi,

FYI, your patch has been queued to LTS release 18.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/07/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Kevin Traynor

---
>>From ef846dc5243732117953303e500f29d7386611f2 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie@intel.com>
Date: Fri, 4 Jan 2019 12:06:41 +0800
Subject: [PATCH] vhost: fix possible dead loop in vector filling

[ upstream commit 450539b47ec89bcb49973a24b4c85c5f0bc8f37b ]

Fix a possible dead loop which may happen, e.g. when driver
created a loop in the desc list and lens in descs are zero.

Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")

Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/virtio_net.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 8ddee4ca5..ed9c0847f 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -336,4 +336,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	uint32_t len    = 0;
 	uint64_t dlen;
+	uint32_t nr_descs = vq->size;
 	struct vring_desc *descs = vq->desc;
 	struct vring_desc *idesc = NULL;
@@ -346,4 +347,8 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	if (vq->desc[idx].flags & VRING_DESC_F_INDIRECT) {
 		dlen = vq->desc[idx].len;
+		nr_descs = dlen / sizeof(struct vring_desc);
+		if (unlikely(nr_descs > vq->size))
+			return -1;
+
 		descs = (struct vring_desc *)(uintptr_t)
 			vhost_iova_to_vva(dev, vq, vq->desc[idx].addr,
@@ -375,4 +380,9 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 		}
 
+		if (unlikely(nr_descs-- == 0)) {
+			free_ind_table(idesc);
+			return -1;
+		}
+
 		len += descs[idx].len;
 
@@ -537,4 +547,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			return -1;
 
+		if (unlikely(*desc_count >= vq->size))
+			return -1;
+
 		*desc_count += 1;
 		*buf_id = descs[avail_idx].id;
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-01-31 15:44:06.352457433 +0000
+++ 0026-vhost-fix-possible-dead-loop-in-vector-filling.patch	2019-01-31 15:44:05.000000000 +0000
@@ -1,14 +1,15 @@
-From 450539b47ec89bcb49973a24b4c85c5f0bc8f37b Mon Sep 17 00:00:00 2001
+From ef846dc5243732117953303e500f29d7386611f2 Mon Sep 17 00:00:00 2001
 From: Tiwei Bie <tiwei.bie@intel.com>
 Date: Fri, 4 Jan 2019 12:06:41 +0800
 Subject: [PATCH] vhost: fix possible dead loop in vector filling
 
+[ upstream commit 450539b47ec89bcb49973a24b4c85c5f0bc8f37b ]
+
 Fix a possible dead loop which may happen, e.g. when driver
 created a loop in the desc list and lens in descs are zero.
 
 Fixes: fd68b4739d2c ("vhost: use buffer vectors in dequeue path")
 Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")
-Cc: stable@dpdk.org
 
 Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
 Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
@@ -17,16 +18,16 @@
  1 file changed, 13 insertions(+)
 
 diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index d64c355b9..0893a1d04 100644
+index 8ddee4ca5..ed9c0847f 100644
 --- a/lib/librte_vhost/virtio_net.c
 +++ b/lib/librte_vhost/virtio_net.c
-@@ -310,4 +310,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -336,4 +336,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  	uint32_t len    = 0;
  	uint64_t dlen;
 +	uint32_t nr_descs = vq->size;
  	struct vring_desc *descs = vq->desc;
  	struct vring_desc *idesc = NULL;
-@@ -320,4 +321,8 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -346,4 +347,8 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  	if (vq->desc[idx].flags & VRING_DESC_F_INDIRECT) {
  		dlen = vq->desc[idx].len;
 +		nr_descs = dlen / sizeof(struct vring_desc);
@@ -35,7 +36,7 @@
 +
  		descs = (struct vring_desc *)(uintptr_t)
  			vhost_iova_to_vva(dev, vq, vq->desc[idx].addr,
-@@ -349,4 +354,9 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -375,4 +380,9 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  		}
  
 +		if (unlikely(nr_descs-- == 0)) {
@@ -45,7 +46,7 @@
 +
  		len += descs[idx].len;
  
-@@ -511,4 +521,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -537,4 +547,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
  			return -1;
  
 +		if (unlikely(*desc_count >= vq->size))