Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp8403944ybn; Tue, 1 Oct 2019 07:40:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqz8Kj/tMrEDFXajBUmo+1Y/xWBZyjHtXL25pm/fY1TFllPqNBlAo2CLzB5joBk8TtOLDHRp X-Received: by 2002:a17:906:4801:: with SMTP id w1mr24397699ejq.245.1569940812841; Tue, 01 Oct 2019 07:40:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569940812; cv=none; d=google.com; s=arc-20160816; b=njaraJQnD38nUKT52T5DGMu/vOSvvY5XDM4/dHlJnV8Vce7aN+tusUi861bcd1w77C XEEEI6aSfqAeMJCTriQgu2Pm3nR7jIGNNssgyZikS2Z6OI19kpEtZG1Ox1wy1a+Ub82O 2J/tv3MS1B9efh2Luu0pmh+bmAWy9ZFTsCD46+RgphvheL8XF/Txvy+pmqGwEyHyhmot Bwz/bgVsu5YQoBYDdhUJ7wVRHCmFyh0pXAjKTvQFRzvZYJ31jdJh6hllqFskbnTSnSjZ IBZzwcdBAw/SGxscLsl65eDm2yx22l32TJZhOxeBxBS2r9GcSGATUKzZwaFbG/P00sWC 26vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=WXsDAoN9Rfbgp2PvuZKvlbZtvv7Jz3Izozysxvh+njY=; b=Zj2oKmfA7cwwdZ+ORMjxYaVDVhHyBzdqH/rQrI4OGq1bvj9S0IksCdIp+Nmz0nHDBT Gv7zVS4jTwORK+woJH4ygs1xKE5N528kt+1qLU878MIsV5uLBufGh26k8KJAS3ByWu5A fRbovf0AUENLEFo40XRQxPkVjMyrxV2jiiXUuF7dcLZW7s4mn3JDFRlFFn27ru8RBSeW W5ekWR/pF7VsZWo3Ot+JaMPcHC2E80M4g9JYiPcpuNziG75DI82KEt/ES7dpAWKlcmSG jkACQKuP1GDIi3tN94emFczfCP6tJZrFUfuEFzDgOh+Dc4sZW/F9eDnV3ZSKTUT3ArgA 2GnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l12si10523710edk.444.2019.10.01.07.39.48; Tue, 01 Oct 2019 07:40:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389151AbfJAOjY (ORCPT + 99 others); Tue, 1 Oct 2019 10:39:24 -0400 Received: from mx2.suse.de ([195.135.220.15]:51096 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2388932AbfJAOjY (ORCPT ); Tue, 1 Oct 2019 10:39:24 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 627F5ADFE; Tue, 1 Oct 2019 14:39:22 +0000 (UTC) Subject: Re: [PATCH v2 1/1] xen-netfront: do not use ~0U as error return value for xennet_fill_frags() To: Dongli Zhang , xen-devel@lists.xenproject.org, netdev@vger.kernel.org Cc: davem@davemloft.net, sstabellini@kernel.org, boris.ostrovsky@oracle.com, joe.jin@oracle.com, linux-kernel@vger.kernel.org References: <1569938201-23620-1-git-send-email-dongli.zhang@oracle.com> From: =?UTF-8?B?SsO8cmdlbiBHcm/Dnw==?= Message-ID: <2071a165-c25f-210d-bda3-9090fe0d5c0e@suse.com> Date: Tue, 1 Oct 2019 16:39:21 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <1569938201-23620-1-git-send-email-dongli.zhang@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01.10.19 15:56, Dongli Zhang wrote: > xennet_fill_frags() uses ~0U as return value when the sk_buff is not able > to cache extra fragments. This is incorrect because the return type of > xennet_fill_frags() is RING_IDX and 0xffffffff is an expected value for > ring buffer index. > > In the situation when the rsp_cons is approaching 0xffffffff, the return > value of xennet_fill_frags() may become 0xffffffff which xennet_poll() (the > caller) would regard as error. As a result, queue->rx.rsp_cons is set > incorrectly because it is updated only when there is error. If there is no > error, xennet_poll() would be responsible to update queue->rx.rsp_cons. > Finally, queue->rx.rsp_cons would point to the rx ring buffer entries whose > queue->rx_skbs[i] and queue->grant_rx_ref[i] are already cleared to NULL. > This leads to NULL pointer access in the next iteration to process rx ring > buffer entries. > > The symptom is similar to the one fixed in > commit 00b368502d18 ("xen-netfront: do not assume sk_buff_head list is > empty in error handling"). > > This patch changes the return type of xennet_fill_frags() to indicate > whether it is successful or failed. The queue->rx.rsp_cons will be > always updated inside this function. > > Fixes: ad4f15dc2c70 ("xen/netfront: don't bug in case of too many frags") > Signed-off-by: Dongli Zhang Reviewed-by: Juergen Gross Juergen