From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id BED92A04C5
	for <public@inbox.dpdk.org>; Thu, 14 Nov 2019 16:16:37 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id B0A9B2BA8;
	Thu, 14 Nov 2019 16:16:37 +0100 (CET)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by dpdk.org (Postfix) with ESMTP id F1D912BA8
 for <stable@dpdk.org>; Thu, 14 Nov 2019 16:16:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1573744595;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=tNx4+GwH9h3oinV9SOKO4py4Uw40y+jm8xPj15eFBBk=;
 b=VZ1zwQN3EB5331quZTO8jbivMdkZUV0AQE68bsShkuxW4XVj4kCF1iPuJlaqLILJJro5vu
 CI0yPiAwfWS1w+BuWKGcBJVZZbI68mkJmh3Uvrlna33Yg4ZpZe4FUYzPpncRGxLYBbzStN
 5dfSUaOcOpTO9IG0VxKMl81UTqwQfJI=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-63-iXNgSsSzMDukcniMX07rqQ-1; Thu, 14 Nov 2019 10:16:33 -0500
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8FA041005513;
 Thu, 14 Nov 2019 15:16:32 +0000 (UTC)
Received: from localhost.localdomain (ovpn-112-32.ams2.redhat.com
 [10.36.112.32])
 by smtp.corp.redhat.com (Postfix) with ESMTP id BB8D76046C;
 Thu, 14 Nov 2019 15:16:30 +0000 (UTC)
From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: stable@dpdk.org,
	tiwei.bie@intel.com
Cc: Zhike Wang <wangzk320@163.com>,
 Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Thu, 14 Nov 2019 16:16:29 +0100
Message-Id: <20191114151629.27435-1-maxime.coquelin@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-MC-Unique: iXNgSsSzMDukcniMX07rqQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Subject: [dpdk-stable] [18.11 LTS PATCH] vhost: fix vring requests
	validation broken if no FD
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

From: Zhike Wang <wangzk320@163.com>

When VHOST_USER_VRING_NOFD_MASK is set, the fd_num is 0,
so validate_msg_fds() will return error. In this case,
the negotiation of vring message between vhost user front end and
back end would fail, and as a result, vhost user link could NOT be up.

How to reproduce:
1.Run dpdk testpmd insides VM, which locates at host with ovs+dpdk.
2.Notice that inside ovs there are endless logs regarding failure to
handle VHOST_USER_SET_VRING_CALL, and link of vm could NOT be up.

Fixes: f8898927bb16 ("vhost: fix possible denial of service by leaking FDs"=
)
Cc: stable@dpdk.org

Signed-off-by: Zhike Wang <wangzk320@163.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---

Backport not tested yet.

 lib/librte_vhost/vhost_user.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 98cd670e03..530823ecd9 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1241,8 +1241,10 @@ vhost_user_set_vring_call(struct virtio_net **pdev, =
struct VhostUserMsg *msg,
 =09struct virtio_net *dev =3D *pdev;
 =09struct vhost_vring_file file;
 =09struct vhost_virtqueue *vq;
+=09int expected_fds;
=20
-=09if (validate_msg_fds(msg, 1) !=3D 0)
+=09expected_fds =3D (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : =
1;
+=09if (validate_msg_fds(msg, expected_fds) !=3D 0)
 =09=09return VH_RESULT_ERR;
=20
 =09file.index =3D msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;
@@ -1266,7 +1268,10 @@ static int vhost_user_set_vring_err(struct virtio_ne=
t **pdev __rte_unused,
 =09=09=09struct VhostUserMsg *msg,
 =09=09=09int main_fd __rte_unused)
 {
-=09if (validate_msg_fds(msg, 1) !=3D 0)
+=09int expected_fds;
+
+=09expected_fds =3D (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : =
1;
+=09if (validate_msg_fds(msg, expected_fds) !=3D 0)
 =09=09return VH_RESULT_ERR;
=20
 =09if (!(msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK))
@@ -1283,8 +1288,10 @@ vhost_user_set_vring_kick(struct virtio_net **pdev, =
struct VhostUserMsg *msg,
 =09struct virtio_net *dev =3D *pdev;
 =09struct vhost_vring_file file;
 =09struct vhost_virtqueue *vq;
+=09int expected_fds;
=20
-=09if (validate_msg_fds(msg, 1) !=3D 0)
+=09expected_fds =3D (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : =
1;
+=09if (validate_msg_fds(msg, expected_fds) !=3D 0)
 =09=09return VH_RESULT_ERR;
=20
 =09file.index =3D msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;
--=20
2.21.0