From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ktraynor@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by dpdk.org (Postfix) with ESMTP id 7B90E1B3B5
 for <stable@dpdk.org>; Thu,  7 Feb 2019 14:28:32 +0100 (CET)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id DF6AE7E9FD;
 Thu,  7 Feb 2019 13:28:31 +0000 (UTC)
Received: from ktraynor.remote.csb (unknown [10.33.36.135])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 00348600D7;
 Thu,  7 Feb 2019 13:28:27 +0000 (UTC)
From: Kevin Traynor <ktraynor@redhat.com>
To: Tiwei Bie <tiwei.bie@intel.com>
Cc: Haiyue Wang <haiyue.wang@intel.com>,
 Maxime Coquelin <maxime.coquelin@redhat.com>, dpdk stable <stable@dpdk.org>
Date: Thu,  7 Feb 2019 13:25:59 +0000
Message-Id: <20190207132614.20538-53-ktraynor@redhat.com>
In-Reply-To: <20190207132614.20538-1-ktraynor@redhat.com>
References: <20190207132614.20538-1-ktraynor@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.26]); Thu, 07 Feb 2019 13:28:31 +0000 (UTC)
Subject: [dpdk-stable] patch 'vhost: fix access for indirect descriptors'
	has been queued to LTS release 18.11.1
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 13:28:32 -0000

Hi,

FYI, your patch has been queued to LTS release 18.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/14/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Kevin Traynor

---
>>From 6a9995128d52e99c05a687eefa9c705edd4f7c40 Mon Sep 17 00:00:00 2001
From: Tiwei Bie <tiwei.bie@intel.com>
Date: Mon, 21 Jan 2019 16:12:18 +0800
Subject: [PATCH] vhost: fix access for indirect descriptors

[ upstream commit 48006390003b81f6d5c7b78e3f02ed49d1049945 ]

Fix a possible out of bound access which may happen when handling
indirect descs in split ring.

Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")

Reported-by: Haiyue Wang <haiyue.wang@intel.com>
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/virtio_net.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index ed9c0847f..15d682c3c 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -337,4 +337,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	uint64_t dlen;
 	uint32_t nr_descs = vq->size;
+	uint32_t cnt    = 0;
 	struct vring_desc *descs = vq->desc;
 	struct vring_desc *idesc = NULL;
@@ -375,10 +376,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 
 	while (1) {
-		if (unlikely(idx >= vq->size)) {
-			free_ind_table(idesc);
-			return -1;
-		}
-
-		if (unlikely(nr_descs-- == 0)) {
+		if (unlikely(idx >= nr_descs || cnt++ >= nr_descs)) {
 			free_ind_table(idesc);
 			return -1;
-- 
2.19.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-02-07 13:19:56.807124963 +0000
+++ 0053-vhost-fix-access-for-indirect-descriptors.patch	2019-02-07 13:19:55.000000000 +0000
@@ -1,13 +1,14 @@
-From 48006390003b81f6d5c7b78e3f02ed49d1049945 Mon Sep 17 00:00:00 2001
+From 6a9995128d52e99c05a687eefa9c705edd4f7c40 Mon Sep 17 00:00:00 2001
 From: Tiwei Bie <tiwei.bie@intel.com>
 Date: Mon, 21 Jan 2019 16:12:18 +0800
 Subject: [PATCH] vhost: fix access for indirect descriptors
 
+[ upstream commit 48006390003b81f6d5c7b78e3f02ed49d1049945 ]
+
 Fix a possible out of bound access which may happen when handling
 indirect descs in split ring.
 
 Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")
-Cc: stable@dpdk.org
 
 Reported-by: Haiyue Wang <haiyue.wang@intel.com>
 Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
@@ -17,16 +18,16 @@
  1 file changed, 2 insertions(+), 6 deletions(-)
 
 diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
-index 0893a1d04..37a4c00d2 100644
+index ed9c0847f..15d682c3c 100644
 --- a/lib/librte_vhost/virtio_net.c
 +++ b/lib/librte_vhost/virtio_net.c
-@@ -311,4 +311,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -337,4 +337,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  	uint64_t dlen;
  	uint32_t nr_descs = vq->size;
 +	uint32_t cnt    = 0;
  	struct vring_desc *descs = vq->desc;
  	struct vring_desc *idesc = NULL;
-@@ -349,10 +350,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -375,10 +376,5 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
  
  	while (1) {
 -		if (unlikely(idx >= vq->size)) {