From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FCE62E542E; Tue, 8 Jul 2025 16:37:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751992662; cv=none; b=YeLl1K1GpzTa3pWVvMFBO79299/BoFNpN3gGIqXy+Xr9U4clCIt5LFyXal6DgdKPgMnQX7gG1nsp1CGFF3M+sZTwYR7p5k9ZdjfaQpgMaCakNWhaaJJESdr//NKUZ2H8SXPUQfPjZpXF0vuQC+WcOl7+IMbitVYZqO3RZmhWOVk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751992662; c=relaxed/simple; bh=ThqnESc1CQOtOl0unqWCouQtxyXPl5kJMInw2ylRFuw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZDJv6vg7hdr22A/Pwh2sTGoKQPQYXQ318Bhq8c2FbSl0fbNGI6QIXwdWZc/PXa+bX5Ac9LItJGqswUc9R6qR6lAm+FU28bByGEjUDScOtBAC5hKf/HuCXWEhXaYzAAePc2PE5uKWIIzHTuwzLwVpiCMkN7c8fnxYqnCvj9cMaFA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pyxcDFB2; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pyxcDFB2" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CF9A5C4CEED; Tue, 8 Jul 2025 16:37:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1751992662; bh=ThqnESc1CQOtOl0unqWCouQtxyXPl5kJMInw2ylRFuw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pyxcDFB2x/5c8UTUX064+g0no5qTK39ll9oe8k1iNFQkCod5MkFbvGZDo/F+wZwf8 MjjAVtHsfVRMa+vL4X004DvozxwEUJdPHIPwWM1SclhxTJR0HBLTvwQrF9e6a5BoHf bZ5zG7U/oMDplb022A1+KlFEDRSExiwcrc3MM7DE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Xuan Zhuo , Bui Quang Minh , Paolo Abeni Subject: [PATCH 6.12 004/232] virtio-net: xsk: rx: fix the frames length check Date: Tue, 8 Jul 2025 18:20:00 +0200 Message-ID: <20250708162241.546760891@linuxfoundation.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250708162241.426806072@linuxfoundation.org> References: <20250708162241.426806072@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bui Quang Minh commit 5177373c31318c3c6a190383bfd232e6cf565c36 upstream. When calling buf_to_xdp, the len argument is the frame data's length without virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr_len to ensure the provided len does not larger than the allocated chunk size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost to start placing data from hard_start + XDP_PACKET_HEADROOM - vi->hdr_len not hard_start + XDP_PACKET_HEADROOM But the first buffer has virtio_header, so the maximum frame's length in the first buffer can only be xsk_pool_get_rx_frame_size() not xsk_pool_get_rx_frame_size() + vi->hdr_len like in the current check. This commit adds an additional argument to buf_to_xdp differentiate between the first buffer and other ones to correctly calculate the maximum frame's length. Cc: stable@vger.kernel.org Reviewed-by: Xuan Zhuo Fixes: a4e7ba702701 ("virtio_net: xsk: rx: support recv small mode") Signed-off-by: Bui Quang Minh Link: https://patch.msgid.link/20250630151315.86722-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman --- drivers/net/virtio_net.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -1098,15 +1098,29 @@ static void sg_fill_dma(struct scatterli sg->length = len; } +/* Note that @len is the length of received data without virtio header */ static struct xdp_buff *buf_to_xdp(struct virtnet_info *vi, - struct receive_queue *rq, void *buf, u32 len) + struct receive_queue *rq, void *buf, + u32 len, bool first_buf) { struct xdp_buff *xdp; u32 bufsize; xdp = (struct xdp_buff *)buf; - bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool) + vi->hdr_len; + /* In virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for + * virtio header and ask the vhost to fill data from + * hard_start + XDP_PACKET_HEADROOM - vi->hdr_len + * The first buffer has virtio header so the remaining region for frame + * data is + * xsk_pool_get_rx_frame_size() + * While other buffers than the first one do not have virtio header, so + * the maximum frame data's length can be + * xsk_pool_get_rx_frame_size() + vi->hdr_len + */ + bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool); + if (!first_buf) + bufsize += vi->hdr_len; if (unlikely(len > bufsize)) { pr_debug("%s: rx error: len %u exceeds truesize %u\n", @@ -1231,7 +1245,7 @@ static int xsk_append_merge_buffer(struc u64_stats_add(&stats->bytes, len); - xdp = buf_to_xdp(vi, rq, buf, len); + xdp = buf_to_xdp(vi, rq, buf, len, false); if (!xdp) goto err; @@ -1329,7 +1343,7 @@ static void virtnet_receive_xsk_buf(stru u64_stats_add(&stats->bytes, len); - xdp = buf_to_xdp(vi, rq, buf, len); + xdp = buf_to_xdp(vi, rq, buf, len, true); if (!xdp) return;