From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 608A1225414; Tue, 8 Jul 2025 16:49:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751993353; cv=none; b=toweDcc1jxs6ZeBo3fsClIFkGILbkOWsBn6h9h5u6GWihD05sMh2YYDSHkAWQWotjdzyx5HQ5Vk4DwHYneWpKHIwldVsVtBwcTuih8qth00c30I7Fty9Q8zohYyO28ostfSS16TzJJoTMGIPm41zyuK+D9Wes/sSmgtdkpiyRU4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751993353; c=relaxed/simple; bh=nCcMYxlSnP6uU2zIw7kFMx8cK6IxGGiNrFOinkwdJHU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hKbuwVuXqk9JyxABCVsxk/RQrmGIfkfRqiI4G60b0IyUDu26vKyrfyq8dRgTW7AN27UYYZCyV3Tg25RZzj6ON9bCA784F67NyqY2xyUCm2s1JU/PIiy5kQmygq2/xDaHaYdnL+L8duoifNW0uwE85cfrdfhqjiDkMYySqFNKG/g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=UNseU57U; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="UNseU57U" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DB5D1C4CEED; Tue, 8 Jul 2025 16:49:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1751993353; bh=nCcMYxlSnP6uU2zIw7kFMx8cK6IxGGiNrFOinkwdJHU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UNseU57UlnPIZ/K7THVMgxFvopwynMwkDlskWM/iP421MxD+rmhZVS7fPyh86fKYL yzuqOWHGmKS9MOdjZ9+SX486qC10EicLGD/1SFJu6eUHjNYZMEwOqjOTm6FE/oIcfB tcbyVjKogH5PiGmIoUUuWkB5clggFI8inAQN9oIA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Xuan Zhuo , Bui Quang Minh , Paolo Abeni Subject: [PATCH 6.15 004/178] virtio-net: xsk: rx: fix the frames length check Date: Tue, 8 Jul 2025 18:20:41 +0200 Message-ID: <20250708162236.669619434@linuxfoundation.org> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20250708162236.549307806@linuxfoundation.org> References: <20250708162236.549307806@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Bui Quang Minh commit 5177373c31318c3c6a190383bfd232e6cf565c36 upstream. When calling buf_to_xdp, the len argument is the frame data's length without virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr_len to ensure the provided len does not larger than the allocated chunk size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost to start placing data from hard_start + XDP_PACKET_HEADROOM - vi->hdr_len not hard_start + XDP_PACKET_HEADROOM But the first buffer has virtio_header, so the maximum frame's length in the first buffer can only be xsk_pool_get_rx_frame_size() not xsk_pool_get_rx_frame_size() + vi->hdr_len like in the current check. This commit adds an additional argument to buf_to_xdp differentiate between the first buffer and other ones to correctly calculate the maximum frame's length. Cc: stable@vger.kernel.org Reviewed-by: Xuan Zhuo Fixes: a4e7ba702701 ("virtio_net: xsk: rx: support recv small mode") Signed-off-by: Bui Quang Minh Link: https://patch.msgid.link/20250630151315.86722-2-minhquangbui99@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman --- drivers/net/virtio_net.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -1127,15 +1127,29 @@ static void check_sq_full_and_disable(st } } +/* Note that @len is the length of received data without virtio header */ static struct xdp_buff *buf_to_xdp(struct virtnet_info *vi, - struct receive_queue *rq, void *buf, u32 len) + struct receive_queue *rq, void *buf, + u32 len, bool first_buf) { struct xdp_buff *xdp; u32 bufsize; xdp = (struct xdp_buff *)buf; - bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool) + vi->hdr_len; + /* In virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for + * virtio header and ask the vhost to fill data from + * hard_start + XDP_PACKET_HEADROOM - vi->hdr_len + * The first buffer has virtio header so the remaining region for frame + * data is + * xsk_pool_get_rx_frame_size() + * While other buffers than the first one do not have virtio header, so + * the maximum frame data's length can be + * xsk_pool_get_rx_frame_size() + vi->hdr_len + */ + bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool); + if (!first_buf) + bufsize += vi->hdr_len; if (unlikely(len > bufsize)) { pr_debug("%s: rx error: len %u exceeds truesize %u\n", @@ -1260,7 +1274,7 @@ static int xsk_append_merge_buffer(struc u64_stats_add(&stats->bytes, len); - xdp = buf_to_xdp(vi, rq, buf, len); + xdp = buf_to_xdp(vi, rq, buf, len, false); if (!xdp) goto err; @@ -1358,7 +1372,7 @@ static void virtnet_receive_xsk_buf(stru u64_stats_add(&stats->bytes, len); - xdp = buf_to_xdp(vi, rq, buf, len); + xdp = buf_to_xdp(vi, rq, buf, len, true); if (!xdp) return;