* [PATCH] vhost/net: length miscalculation
@ 2015-01-07 8:55 Michael S. Tsirkin
2015-01-07 15:09 ` Alex Williamson
2015-01-07 20:58 ` Sergei Shtylyov
0 siblings, 2 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2015-01-07 8:55 UTC (permalink / raw)
To: linux-kernel; +Cc: Alex Williamson, Greg Kurz, kvm, virtualization, netdev
commit 8b38694a2dc8b18374310df50174f1e4376d6824
vhost/net: virtio 1.0 byte swap
had this chunk:
- heads[headcount - 1].len += datalen;
+ heads[headcount - 1].len = cpu_to_vhost32(vq, len - datalen);
This adds datalen with the wrong sign, causing guest panics.
Fixes: 8b38694a2dc8b18374310df50174f1e4376d6824
Reported-by: Alex Williamson <alex.williamson@redhat.com>
Suggested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
Alex, could you please confirm this fixes the crash for you?
drivers/vhost/net.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 14419a8..d415d69 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -538,7 +538,7 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
++headcount;
seg += in;
}
- heads[headcount - 1].len = cpu_to_vhost32(vq, len - datalen);
+ heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
*iovcount = seg;
if (unlikely(log))
*log_num = nlogs;
--
MST
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] vhost/net: length miscalculation
2015-01-07 8:55 [PATCH] vhost/net: length miscalculation Michael S. Tsirkin
@ 2015-01-07 15:09 ` Alex Williamson
2015-01-07 20:58 ` Sergei Shtylyov
1 sibling, 0 replies; 4+ messages in thread
From: Alex Williamson @ 2015-01-07 15:09 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: linux-kernel, Greg Kurz, kvm, virtualization, netdev
On Wed, 2015-01-07 at 10:55 +0200, Michael S. Tsirkin wrote:
> commit 8b38694a2dc8b18374310df50174f1e4376d6824
> vhost/net: virtio 1.0 byte swap
> had this chunk:
> - heads[headcount - 1].len += datalen;
> + heads[headcount - 1].len = cpu_to_vhost32(vq, len - datalen);
>
> This adds datalen with the wrong sign, causing guest panics.
>
> Fixes: 8b38694a2dc8b18374310df50174f1e4376d6824
> Reported-by: Alex Williamson <alex.williamson@redhat.com>
> Suggested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> Alex, could you please confirm this fixes the crash for you?
Confirmed, this works. Thanks,
Alex
> drivers/vhost/net.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 14419a8..d415d69 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -538,7 +538,7 @@ static int get_rx_bufs(struct vhost_virtqueue *vq,
> ++headcount;
> seg += in;
> }
> - heads[headcount - 1].len = cpu_to_vhost32(vq, len - datalen);
> + heads[headcount - 1].len = cpu_to_vhost32(vq, len + datalen);
> *iovcount = seg;
> if (unlikely(log))
> *log_num = nlogs;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] vhost/net: length miscalculation
2015-01-07 8:55 [PATCH] vhost/net: length miscalculation Michael S. Tsirkin
2015-01-07 15:09 ` Alex Williamson
@ 2015-01-07 20:58 ` Sergei Shtylyov
2015-01-08 8:08 ` Michael S. Tsirkin
1 sibling, 1 reply; 4+ messages in thread
From: Sergei Shtylyov @ 2015-01-07 20:58 UTC (permalink / raw)
To: Michael S. Tsirkin, linux-kernel
Cc: Alex Williamson, Greg Kurz, kvm, virtualization, netdev
Hello.
On 01/07/2015 11:55 AM, Michael S. Tsirkin wrote:
> commit 8b38694a2dc8b18374310df50174f1e4376d6824
> vhost/net: virtio 1.0 byte swap
> had this chunk:
> - heads[headcount - 1].len += datalen;
> + heads[headcount - 1].len = cpu_to_vhost32(vq, len - datalen);
> This adds datalen with the wrong sign, causing guest panics.
> Fixes: 8b38694a2dc8b18374310df50174f1e4376d6824
The format of this tag assumes 12-digit SHA1 hash and the commit
description enclosed in parens and double quotes. See
Documentation/SubmittingPatches.
> Reported-by: Alex Williamson <alex.williamson@redhat.com>
> Suggested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
WBR, Sergei
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] vhost/net: length miscalculation
2015-01-07 20:58 ` Sergei Shtylyov
@ 2015-01-08 8:08 ` Michael S. Tsirkin
0 siblings, 0 replies; 4+ messages in thread
From: Michael S. Tsirkin @ 2015-01-08 8:08 UTC (permalink / raw)
To: Sergei Shtylyov
Cc: linux-kernel, Alex Williamson, Greg Kurz, kvm, virtualization,
netdev
On Wed, Jan 07, 2015 at 11:58:00PM +0300, Sergei Shtylyov wrote:
> Hello.
>
> On 01/07/2015 11:55 AM, Michael S. Tsirkin wrote:
>
> >commit 8b38694a2dc8b18374310df50174f1e4376d6824
> > vhost/net: virtio 1.0 byte swap
> >had this chunk:
> >- heads[headcount - 1].len += datalen;
> >+ heads[headcount - 1].len = cpu_to_vhost32(vq, len - datalen);
>
> >This adds datalen with the wrong sign, causing guest panics.
>
> >Fixes: 8b38694a2dc8b18374310df50174f1e4376d6824
>
> The format of this tag assumes 12-digit SHA1 hash and the commit
> description enclosed in parens and double quotes. See
> Documentation/SubmittingPatches.
>
> >Reported-by: Alex Williamson <alex.williamson@redhat.com>
> >Suggested-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> >Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
>
> WBR, Sergei
I pushed the patches to Linus unfortunately - there's
some urgency since many people are hitting the bug.
Will do my best to do it right next time.
--
MST
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-08 8:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-07 8:55 [PATCH] vhost/net: length miscalculation Michael S. Tsirkin
2015-01-07 15:09 ` Alex Williamson
2015-01-07 20:58 ` Sergei Shtylyov
2015-01-08 8:08 ` Michael S. Tsirkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).