[PATCH] hv_netvsc: Fix potentionally overflow in netvsc_xdp_xmit()

[PATCH] hv_netvsc: Fix potentionally overflow in netvsc_xdp_xmit()

[Jiasheng Jiang]

Adding skb_rx_queue_recorded() to avoid the value of skb->queue_mapping
to be 0. Otherwise the return value of skb_get_rx_queue() could be MAX_U16
cause by overflow.

Fixes: 351e158 ("hv_netvsc: Add XDP support")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
---
 drivers/net/hyperv/netvsc_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index f682a55..e51201e 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -807,7 +807,7 @@ static void netvsc_xdp_xmit(struct sk_buff *skb, struct net_device *ndev)
 {
 	int rc;
 
-	skb->queue_mapping = skb_get_rx_queue(skb);
+	skb->queue_mapping = skb_rx_queue_recorded(skb) ? skb_get_rx_queue(skb) : 0;
 	__skb_push(skb, ETH_HLEN);
 
 	rc = netvsc_xmit(skb, ndev, true);
-- 
2.7.4

RE: [PATCH] hv_netvsc: Fix potentionally overflow in netvsc_xdp_xmit()

[Haiyang Zhang]

> -----Original Message-----
> From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> Sent: Tuesday, October 12, 2021 11:05 PM
> To: KY Srinivasan <kys@microsoft.com>; Haiyang Zhang
> <haiyangz@microsoft.com>; Stephen Hemminger <sthemmin@microsoft.com>;
> wei.liu@kernel.org; Dexuan Cui <decui@microsoft.com>;
> davem@davemloft.net; kuba@kernel.org; ast@kernel.org;
> daniel@iogearbox.net; hawk@kernel.org; john.fastabend@gmail.com;
> andrii@kernel.org; kafai@fb.com; songliubraving@fb.com; yhs@fb.com;
> kpsingh@kernel.org
> Cc: linux-hyperv@vger.kernel.org; netdev@vger.kernel.org; linux-
> kernel@vger.kernel.org; bpf@vger.kernel.org; Jiasheng Jiang
> <jiasheng@iscas.ac.cn>
> Subject: [PATCH] hv_netvsc: Fix potentionally overflow in
> netvsc_xdp_xmit()
> 
> [Some people who received this message don't often get email from
> jiasheng@iscas.ac.cn. Learn why this is important at
> http://aka.ms/LearnAboutSenderIdentification.]
> 
> Adding skb_rx_queue_recorded() to avoid the value of skb->queue_mapping
> to be 0. Otherwise the return value of skb_get_rx_queue() could be
> MAX_U16
> cause by overflow.
> 
> Fixes: 351e158 ("hv_netvsc: Add XDP support")
> Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> ---
>  drivers/net/hyperv/netvsc_drv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/hyperv/netvsc_drv.c
> b/drivers/net/hyperv/netvsc_drv.c
> index f682a55..e51201e 100644
> --- a/drivers/net/hyperv/netvsc_drv.c
> +++ b/drivers/net/hyperv/netvsc_drv.c
> @@ -807,7 +807,7 @@ static void netvsc_xdp_xmit(struct sk_buff *skb,
> struct net_device *ndev)
>  {
>         int rc;
> 
> -       skb->queue_mapping = skb_get_rx_queue(skb);
> +       skb->queue_mapping = skb_rx_queue_recorded(skb) ?
> skb_get_rx_queue(skb) : 0;
>         __skb_push(skb, ETH_HLEN);
> 

netvsc_xdp_xmit() is only called from netvsc_recv_callback() 
and after skb_record_rx_queue(skb, q_idx) is called:

        skb_record_rx_queue(skb, q_idx);

	  ......

        if (act == XDP_TX) {
                netvsc_xdp_xmit(skb, net);
                return NVSP_STAT_SUCCESS;
        }

So the existing code doesn't need this patch.

To avoid future misusing of netvsc_xdp_xmit() in other places, you
may just add a comment -- "This function should only be called 
after skb_record_rx_queue()".

Thanks,

- Haiyang