From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>,
"Si-Wei Liu" <si-wei.liu@oracle.com>,
Darren Kenny <darren.kenny@oracle.com>,
Jason Wang <jasowang@redhat.com>, Paolo Abeni <pabeni@redhat.com>,
Sasha Levin <sashal@kernel.org>,
mst@redhat.com, andrew+netdev@lunn.ch, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org,
virtualization@lists.linux.dev, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.12 084/107] virtio-net: fix overflow inside virtnet_rq_alloc
Date: Sun, 24 Nov 2024 08:29:44 -0500 [thread overview]
Message-ID: <20241124133301.3341829-84-sashal@kernel.org> (raw)
In-Reply-To: <20241124133301.3341829-1-sashal@kernel.org>
From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
[ Upstream commit 6aacd1484468361d1d04badfe75f264fa5314864 ]
When the frag just got a page, then may lead to regression on VM.
Specially if the sysctl net.core.high_order_alloc_disable value is 1,
then the frag always get a page when do refill.
Which could see reliable crashes or scp failure (scp a file 100M in size
to VM).
The issue is that the virtnet_rq_dma takes up 16 bytes at the beginning
of a new frag. When the frag size is larger than PAGE_SIZE,
everything is fine. However, if the frag is only one page and the
total size of the buffer and virtnet_rq_dma is larger than one page, an
overflow may occur.
The commit f9dac92ba908 ("virtio_ring: enable premapped mode whatever
use_dma_api") introduced this problem. And we reverted some commits to
fix this in last linux version. Now we try to enable it and fix this
bug directly.
Here, when the frag size is not enough, we reduce the buffer len to fix
this problem.
Reported-by: "Si-Wei Liu" <si-wei.liu@oracle.com>
Tested-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/virtio_net.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 53a038fcbe991..c897afef0b414 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -946,9 +946,6 @@ static void *virtnet_rq_alloc(struct receive_queue *rq, u32 size, gfp_t gfp)
void *buf, *head;
dma_addr_t addr;
- if (unlikely(!skb_page_frag_refill(size, alloc_frag, gfp)))
- return NULL;
-
head = page_address(alloc_frag->page);
if (rq->do_dma) {
@@ -2443,6 +2440,9 @@ static int add_recvbuf_small(struct virtnet_info *vi, struct receive_queue *rq,
len = SKB_DATA_ALIGN(len) +
SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ if (unlikely(!skb_page_frag_refill(len, &rq->alloc_frag, gfp)))
+ return -ENOMEM;
+
buf = virtnet_rq_alloc(rq, len, gfp);
if (unlikely(!buf))
return -ENOMEM;
@@ -2545,6 +2545,12 @@ static int add_recvbuf_mergeable(struct virtnet_info *vi,
*/
len = get_mergeable_buf_len(rq, &rq->mrg_avg_pkt_len, room);
+ if (unlikely(!skb_page_frag_refill(len + room, alloc_frag, gfp)))
+ return -ENOMEM;
+
+ if (!alloc_frag->offset && len + room + sizeof(struct virtnet_rq_dma) > alloc_frag->size)
+ len -= sizeof(struct virtnet_rq_dma);
+
buf = virtnet_rq_alloc(rq, len + room, gfp);
if (unlikely(!buf))
return -ENOMEM;
--
2.43.0
next prev parent reply other threads:[~2024-11-24 13:38 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20241124133301.3341829-1-sashal@kernel.org>
2024-11-24 13:28 ` [PATCH AUTOSEL 6.12 030/107] r8169: don't apply UDP padding quirk on RTL8126A Sasha Levin
2024-11-24 13:28 ` [PATCH AUTOSEL 6.12 035/107] net: fec_mpc52xx_phy: Use %pa to format resource_size_t Sasha Levin
2024-11-24 13:28 ` [PATCH AUTOSEL 6.12 036/107] net: ethernet: fs_enet: " Sasha Levin
2024-11-24 13:28 ` [PATCH AUTOSEL 6.12 037/107] net/sched: cbs: Fix integer overflow in cbs_set_port_rate() Sasha Levin
2024-11-24 13:28 ` [PATCH AUTOSEL 6.12 038/107] af_packet: avoid erroring out after sock_init_data() in packet_create() Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 042/107] net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 043/107] net: inet: do not leave a dangling sk pointer in inet_create() Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 044/107] net: inet6: do not leave a dangling sk pointer in inet6_create() Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 056/107] net: sfp: change quirks for Alcatel Lucent G-010S-P Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 057/107] net: stmmac: Programming sequence for VLAN packets with split header Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 063/107] netlink: specs: Add missing bitset attrs to ethtool spec Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 068/107] mptcp: annotate data-races around subflow->fully_established Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 074/107] fsl/fman: Validate cell-index value obtained from Device Tree Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 075/107] net/tcp: Add missing lockdep annotations for TCP-AO hlist traversals Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 076/107] net: enetc: remove ERR050089 workaround for i.MX95 Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 077/107] net: enetc: add i.MX95 EMDIO support Sasha Levin
2024-11-24 13:29 ` Sasha Levin [this message]
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 090/107] mptcp: fix possible integer overflow in mptcp_reset_tout_timer Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 091/107] dsa: qca8k: Use nested lock to avoid splat Sasha Levin
2024-11-24 13:29 ` [PATCH AUTOSEL 6.12 098/107] Bluetooth: Add new quirks for ATS2851 Sasha Levin
2024-11-24 13:30 ` [PATCH AUTOSEL 6.12 105/107] rocker: fix link status detection in rocker_carrier_init() Sasha Levin
2024-11-24 13:30 ` [PATCH AUTOSEL 6.12 106/107] net/neighbor: clear error in case strict check is not set Sasha Levin
2024-11-24 13:30 ` [PATCH AUTOSEL 6.12 107/107] netpoll: Use rcu_access_pointer() in __netpoll_setup Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241124133301.3341829-84-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andrew+netdev@lunn.ch \
--cc=darren.kenny@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jasowang@redhat.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=si-wei.liu@oracle.com \
--cc=stable@vger.kernel.org \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).