On Fri, Jul 15, 2016 at 10:23:12AM +0300, Ilya Maximets wrote: > On 15.07.2016 09:17, Yuanhan Liu wrote: > > On Thu, Jul 14, 2016 at 11:18:39AM +0300, Ilya Maximets wrote: > >> In current implementation vhost will crash with segmentation fault > >> if malicious or buggy virtio application breaks addresses of descriptors. > >> > >> Before commit 0823c1cb0a73 this crash was reproducible even with > >> normal DPDK application that tries to change number of virtqueues > >> dynamically inside VM. > >> > >> Fix that by checking addresses of descriptors before using. > >> > >> Also fixed return value on error for 'copy_mbuf_to_desc_mergeable()' > >> from '-1' to '0' because it returns unsigned value and it means > >> number of used descriptors. > > > > Yeah, that's a good fix. Thanks. > > > > Maybe you'd better make it a standalone patch. > > Ok. Maybe I should split this patch in two: > 1. Fix return value + using of this value (vq->last_used_idx += nr_used;) > 2. Check addresses of descriptors. > What do you think?
Good to me. > >> Signed-off-by: Ilya Maximets <i.maximets at samsung.com> > >> --- > >> Version 2: > >> * Rebased on top of current master. > >> * host's address now checked in meargeable case, > >> because needed refactoring already done. > >> * Commit-message changed because old issue with > >> virtio reload accidentially fixed by commit > >> 0823c1cb0a73. > >> > >> lib/librte_vhost/vhost_rxtx.c | 28 +++++++++++++++++++++------- > >> 1 file changed, 21 insertions(+), 7 deletions(-) > >> > >> diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c > >> index 15ca956..31e8b58 100644 > >> --- a/lib/librte_vhost/vhost_rxtx.c > >> +++ b/lib/librte_vhost/vhost_rxtx.c > >> @@ -147,10 +147,10 @@ copy_mbuf_to_desc(struct virtio_net *dev, struct > >> vhost_virtqueue *vq, > >> struct virtio_net_hdr_mrg_rxbuf virtio_hdr = {{0, 0, 0, 0, 0, 0}, 0}; > >> > >> desc = &vq->desc[desc_idx]; > >> - if (unlikely(desc->len < dev->vhost_hlen)) > >> + desc_addr = gpa_to_vva(dev, desc->addr); > >> + if (unlikely(desc->len < dev->vhost_hlen || !desc_addr)) > >> return -1; > > > > So, you discards the workaround from Rich? > > I can apply it, if you wish. Should I? Yeah, it's hard to tell. The performace regression is weird after all. I'm thinking we should appy it anyway: it saves 10% regression, which is worthwhile. I think we should also add comments there. --yliu