Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2354015pxb; Mon, 20 Sep 2021 19:53:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyw4wOUJCUQUmU7doczrSdV5k3T1y9mFmurgeer0DXAudL1cDr983xXhXP4CzDS13vMpTu2 X-Received: by 2002:a92:194b:: with SMTP id e11mr19389219ilm.200.1632192781008; Mon, 20 Sep 2021 19:53:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192781; cv=none; d=google.com; s=arc-20160816; b=rk39d1ll7MFNSPe2Aluh7QlGmIWFHD2xTFUNg4qdIYQ9TEnJZ9WEhp9R6DJAogYdfE oDgdEKc27xQAFpb3dVRnNTmTbONj9CCDnlaIIivt+lRLPFjXXuYDcekmzVGPs9wwbPkd dS1MqsghsCwSUNbkWQ0V5Q3a2p/tf8+GJs8rfH9U/2xxSbR9CrnVLml9U9/ysbBWKHvD uc5q/GX/0b+gUju8nM6AcXzkrKhvtYET59+6J0FwYX1qWGkuxrzdjAq/XKsITamZcsg8 2NeM8FlLOBfCl4VqnxzzN2l6PmCeGfbzQs9LHLWekMaFnSYVbczlY509w3DnJOUCSuVH 12Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0GVX6qMxDbfTbZQLxkdR6tIhBwyaIFfscIMUjHfU1qY=; b=IiJioAqg/Nv/kjijXxS0zsR0t7B0gTf/u9jjV5Rs1gk2MtYM9rweoBrXQa0MCk9nlr HxPptbIC19yqwNcbdCWpINZ3athDFy/8Ox+IHhNsRC4hOgwTzmpsMoegW73KYXgfOsJ+ 1P0QIZgtd6qsN7AhM6ntGMVQ0zC7OEauEYjKKKO0tRIt8gZq+0KBwgVOXTYsJMqLqzHn 1moetbpVLfBepF+C4lHl2IjC2WnCAxxenf2yLaZZ9JgTA9ZG70eeYkAivmvvqQo4oDqw a53oMyrWzaFrwhYcsXQDGjMu6GWmFGJ2G1+IjE1/hHdxhpd0CKy5Ti/8/P6Ks7BIfUHK 63QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0AEmHy1f; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q11si14203137ilg.114.2021.09.20.19.52.49; Mon, 20 Sep 2021 19:53:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=0AEmHy1f; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354217AbhITSrs (ORCPT + 99 others); Mon, 20 Sep 2021 14:47:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:56456 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1383269AbhITSoU (ORCPT ); Mon, 20 Sep 2021 14:44:20 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D4B2D61AFB; Mon, 20 Sep 2021 17:32:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632159157; bh=kJ3W0/eZlIctqLUHyPrNqD80xBPS2iOUV4vkEAQbbKQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0AEmHy1ffYrXK+buOIlakscosaBKVz580LHcjP23+OgZSPvAiVMgsnVjnoQvkacAp xZ755Ch/ETPga4/vFsXLsCrrK7ULFvqDP+Rs9wi5OQZUbD4I4lPMvtFgxOetRIYIhF VxpSFK3UFZGkyPkjlltP+xw9ywzXrke55bPQliyc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jason Wang , Paolo Abeni , "David S. Miller" Subject: [PATCH 5.14 060/168] vhost_net: fix OoB on sendmsg() failure. Date: Mon, 20 Sep 2021 18:43:18 +0200 Message-Id: <20210920163923.611496519@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163921.633181900@linuxfoundation.org> References: <20210920163921.633181900@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Abeni commit 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c upstream. If the sendmsg() call in vhost_tx_batch() fails, both the 'batched_xdp' and 'done_idx' indexes are left unchanged. If such failure happens when batched_xdp == VHOST_NET_BATCH, the next call to vhost_net_build_xdp() will access and write memory outside the xdp buffers area. Since sendmsg() can only error with EBADFD, this change addresses the issue explicitly freeing the XDP buffers batch on error. Fixes: 0a0be13b8fe2 ("vhost_net: batch submitting XDP buffers to underlayer sockets") Suggested-by: Jason Wang Signed-off-by: Paolo Abeni Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/vhost/net.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -467,7 +467,7 @@ static void vhost_tx_batch(struct vhost_ .num = nvq->batched_xdp, .ptr = nvq->xdp, }; - int err; + int i, err; if (nvq->batched_xdp == 0) goto signal_used; @@ -476,6 +476,15 @@ static void vhost_tx_batch(struct vhost_ err = sock->ops->sendmsg(sock, msghdr, 0); if (unlikely(err < 0)) { vq_err(&nvq->vq, "Fail to batch sending packets\n"); + + /* free pages owned by XDP; since this is an unlikely error path, + * keep it simple and avoid more complex bulk update for the + * used pages + */ + for (i = 0; i < nvq->batched_xdp; ++i) + put_page(virt_to_head_page(nvq->xdp[i].data)); + nvq->batched_xdp = 0; + nvq->done_idx = 0; return; }