Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2350580pxb; Mon, 20 Sep 2021 19:45:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNJ61UQw5CWFazaNwD5HnwubSUaFG2H5lgE4PPrRysLxR9Da7AhZpQU1q1NV2bi1y9SCqY X-Received: by 2002:a17:906:2a8e:: with SMTP id l14mr31699835eje.321.1632192347289; Mon, 20 Sep 2021 19:45:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192347; cv=none; d=google.com; s=arc-20160816; b=w/naxY1Mr4S02ywPZ3x444N5yMnVpooVkxfJmGFdolzpwNiEl7pJq1RGBxowy0a16s zUJGuQsH1cvwHfw0JiYatJs70pgtWSSdLJdqY3+mvytYfYyuy3Hs/Vd2YYUFUtehfLMw vbY+QXKAjujKIgZ/yTnnfEYIHgCboorsl/weUiBS+p4eiqjrnN15mHj9lsqee7AzMOV+ 7SFUQW8+hvWW81wStWxhtVpB1PVcz93ndY9T23E4pR3+qLeAN/1Naq/qQcGwTSvSDy28 eCWngHNnUfyubRPOFdCTvKe2I+Z5zDFQNFRAvU+5ZhQi/0PzSYAFac2M/BI68J2JOe3t dnHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=89UmcAN/JS8S5dNiMrVJpyrzxz+r1EBG5RIi3DvOKWs=; b=pfPm6MJFQXx2+5kQ2dn+MPPTwssPFg016Gj4Eiz7E5mnfUg2pBc5hqpCA8TkJttfU5 Ada/QJeIhxooM8qfMZj86PvedekojTEzwNaXzEyk+JG8ZMRxHBJdiBaETasIRXaWt3wm 1g9y+5CM9QDxjuMf5lptBlbdBsrcXPxsVS1bqBNJ1ZFEDh+dxksmnuEuM8jUcH8ndJOx JH1iiVrfCHXt0yL9o6ISayj82zr8+y44rSQE5Qm8YqUxJamMtD6/TETgJFhkgl2CJNN7 HD7FOFSYVpqtkauYlS7TIwtcwZ1aTJbIdzSOP5GeYfW9QCxKcm9H6AlNM15mt/9D3c0P 8h6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tjt+sKbs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q5si18423916ejt.588.2021.09.20.19.45.23; Mon, 20 Sep 2021 19:45:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tjt+sKbs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352495AbhITSZW (ORCPT + 99 others); Mon, 20 Sep 2021 14:25:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:40570 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377348AbhITSSY (ORCPT ); Mon, 20 Sep 2021 14:18:24 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9583361A62; Mon, 20 Sep 2021 17:22:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632158580; bh=ikfZ892KD0SNUlbUzD2rhuzPSMKNp0bILxoF/E3DFCw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tjt+sKbs7eeKoeDuIdxMW+yazBXAXgCHL/lp3S0oRE3Tc2WVUrAeQVTsfxmoLeGMc BplR8Ff/qT3be9mMRF3Zsi7wHLTo1J8TObA4ZU34iTP2ze6bjsYSste1QBhlCWgT8C CTYpMxKi1vxRyExbAKLF+a+y1HjC0tsb9C4xPoQs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Wang , Paolo Abeni , "David S. Miller" Subject: [PATCH 5.4 220/260] vhost_net: fix OoB on sendmsg() failure. Date: Mon, 20 Sep 2021 18:43:58 +0200 Message-Id: <20210920163938.586875942@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163931.123590023@linuxfoundation.org> References: <20210920163931.123590023@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Abeni commit 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c upstream. If the sendmsg() call in vhost_tx_batch() fails, both the 'batched_xdp' and 'done_idx' indexes are left unchanged. If such failure happens when batched_xdp == VHOST_NET_BATCH, the next call to vhost_net_build_xdp() will access and write memory outside the xdp buffers area. Since sendmsg() can only error with EBADFD, this change addresses the issue explicitly freeing the XDP buffers batch on error. Fixes: 0a0be13b8fe2 ("vhost_net: batch submitting XDP buffers to underlayer sockets") Suggested-by: Jason Wang Signed-off-by: Paolo Abeni Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/vhost/net.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -466,7 +466,7 @@ static void vhost_tx_batch(struct vhost_ .num = nvq->batched_xdp, .ptr = nvq->xdp, }; - int err; + int i, err; if (nvq->batched_xdp == 0) goto signal_used; @@ -475,6 +475,15 @@ static void vhost_tx_batch(struct vhost_ err = sock->ops->sendmsg(sock, msghdr, 0); if (unlikely(err < 0)) { vq_err(&nvq->vq, "Fail to batch sending packets\n"); + + /* free pages owned by XDP; since this is an unlikely error path, + * keep it simple and avoid more complex bulk update for the + * used pages + */ + for (i = 0; i < nvq->batched_xdp; ++i) + put_page(virt_to_head_page(nvq->xdp[i].data)); + nvq->batched_xdp = 0; + nvq->done_idx = 0; return; }