Linux-HyperV Archive on lore.kernel.org
 help / color / Atom feed
From: Vitaly Kuznetsov <vkuznets@redhat.com>
To: Haiyang Zhang <haiyangz@microsoft.com>
Cc: KY Srinivasan <kys@microsoft.com>,
	Stephen Hemminger <sthemmin@microsoft.com>,
	"olaf\@aepfle.de" <olaf@aepfle.de>,
	"davem\@davemloft.net" <davem@davemloft.net>,
	"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"sashal\@kernel.org" <sashal@kernel.org>,
	"linux-hyperv\@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
	"netdev\@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH net, 1/2] hv_netvsc: Fix offset usage in netvsc_send_table()
Date: Mon, 18 Nov 2019 18:28:48 +0100
Message-ID: <87wobxgkkv.fsf@vitty.brq.redhat.com> (raw)
In-Reply-To: <1574094751-98966-2-git-send-email-haiyangz@microsoft.com>

Haiyang Zhang <haiyangz@microsoft.com> writes:

> To reach the data region, the existing code adds offset in struct
> nvsp_5_send_indirect_table on the beginning of this struct. But the
> offset should be based on the beginning of its container,
> struct nvsp_message. This bug causes the first table entry missing,
> and adds an extra zero from the zero pad after the data region.
> This can put extra burden on the channel 0.
>
> So, correct the offset usage. Also add a boundary check to ensure
> not reading beyond data region.
>
> Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling (vRSS)")
> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
> ---
>  drivers/net/hyperv/hyperv_net.h |  3 ++-
>  drivers/net/hyperv/netvsc.c     | 26 ++++++++++++++++++--------
>  2 files changed, 20 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
> index 670ef68..fb547f3 100644
> --- a/drivers/net/hyperv/hyperv_net.h
> +++ b/drivers/net/hyperv/hyperv_net.h
> @@ -609,7 +609,8 @@ struct nvsp_5_send_indirect_table {
>  	/* The number of entries in the send indirection table */
>  	u32 count;
>  
> -	/* The offset of the send indirection table from top of this struct.
> +	/* The offset of the send indirection table from the beginning of
> +	 * struct nvsp_message.
>  	 * The send indirection table tells which channel to put the send
>  	 * traffic on. Each entry is a channel number.
>  	 */
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index d22a36f..efd30e2 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -1178,20 +1178,28 @@ static int netvsc_receive(struct net_device *ndev,
>  }
>  
>  static void netvsc_send_table(struct net_device *ndev,
> -			      const struct nvsp_message *nvmsg)
> +			      const struct nvsp_message *nvmsg,
> +			      u32 msglen)
>  {
>  	struct net_device_context *net_device_ctx = netdev_priv(ndev);
> -	u32 count, *tab;
> +	u32 count, offset, *tab;
>  	int i;
>  
>  	count = nvmsg->msg.v5_msg.send_table.count;
> +	offset = nvmsg->msg.v5_msg.send_table.offset;
> +
>  	if (count != VRSS_SEND_TAB_SIZE) {
>  		netdev_err(ndev, "Received wrong send-table size:%u\n", count);
>  		return;
>  	}
>  
> -	tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table +
> -		      nvmsg->msg.v5_msg.send_table.offset);
> +	if (offset + count * sizeof(u32) > msglen) {

Nit: I think this can overflow.

> +		netdev_err(ndev, "Received send-table offset too big:%u\n",
> +			   offset);
> +		return;
> +	}
> +
> +	tab = (void *)nvmsg + offset;

But tab is 'u32 *', doesn't compiler complain?

>  
>  	for (i = 0; i < count; i++)
>  		net_device_ctx->tx_table[i] = tab[i];
> @@ -1209,12 +1217,13 @@ static void netvsc_send_vf(struct net_device *ndev,
>  		    net_device_ctx->vf_alloc ? "added" : "removed");
>  }
>  
> -static  void netvsc_receive_inband(struct net_device *ndev,
> -				   const struct nvsp_message *nvmsg)
> +static void netvsc_receive_inband(struct net_device *ndev,
> +				  const struct nvsp_message *nvmsg,
> +				  u32 msglen)
>  {
>  	switch (nvmsg->hdr.msg_type) {
>  	case NVSP_MSG5_TYPE_SEND_INDIRECTION_TABLE:
> -		netvsc_send_table(ndev, nvmsg);
> +		netvsc_send_table(ndev, nvmsg, msglen);
>  		break;
>  
>  	case NVSP_MSG4_TYPE_SEND_VF_ASSOCIATION:
> @@ -1232,6 +1241,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device,
>  {
>  	struct vmbus_channel *channel = nvchan->channel;
>  	const struct nvsp_message *nvmsg = hv_pkt_data(desc);
> +	u32 msglen = hv_pkt_datalen(desc);
>  
>  	trace_nvsp_recv(ndev, channel, nvmsg);
>  
> @@ -1247,7 +1257,7 @@ static int netvsc_process_raw_pkt(struct hv_device *device,
>  		break;
>  
>  	case VM_PKT_DATA_INBAND:
> -		netvsc_receive_inband(ndev, nvmsg);
> +		netvsc_receive_inband(ndev, nvmsg, msglen);
>  		break;
>  
>  	default:

-- 
Vitaly


  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-18 16:33 [PATCH net, 0/2] Fix send indirection table offset Haiyang Zhang
2019-11-18 16:34 ` [PATCH net, 1/2] hv_netvsc: Fix offset usage in netvsc_send_table() Haiyang Zhang
2019-11-18 17:28   ` Vitaly Kuznetsov [this message]
2019-11-18 17:59     ` Stephen Hemminger
2019-11-18 18:39     ` Haiyang Zhang
2019-11-18 20:47       ` Michael Kelley
2019-11-18 21:01         ` Haiyang Zhang
2019-11-18 16:34 ` [PATCH net, 2/2] hv_netvsc: Fix send_table offset in case of a host bug Haiyang Zhang

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wobxgkkv.fsf@vitty.brq.redhat.com \
    --to=vkuznets@redhat.com \
    --cc=davem@davemloft.net \
    --cc=haiyangz@microsoft.com \
    --cc=kys@microsoft.com \
    --cc=linux-hyperv@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=olaf@aepfle.de \
    --cc=sashal@kernel.org \
    --cc=sthemmin@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-HyperV Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-hyperv/0 linux-hyperv/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-hyperv linux-hyperv/ https://lore.kernel.org/linux-hyperv \
		linux-hyperv@vger.kernel.org
	public-inbox-index linux-hyperv

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-hyperv


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git