Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp272912lqh;
        Thu, 28 Mar 2024 01:12:42 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWMtzoBuQXInwWleVO6A4dILQ+7Hc/OqR+i5B8d8SMUcAe6VBH+9KE7jtfO8MOaSQOcTiYrAcbej2MMG7t5b/hYP/9yBnCHqsUhKXhlLw==
X-Google-Smtp-Source: AGHT+IF5G5ye7VS8YKNEmCdbMy4ZQ+xL99buTVoYAKM3uiR9B8VJXuPBz4THRoCh/MjjhmTXj2U0
X-Received: by 2002:a17:902:f54e:b0:1e0:185d:16c3 with SMTP id h14-20020a170902f54e00b001e0185d16c3mr2331840plf.12.1711613562719;
        Thu, 28 Mar 2024 01:12:42 -0700 (PDT)
Return-Path: <linux-kernel+bounces-122568-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id ja21-20020a170902efd500b001dd528fec8asi923594plb.331.2024.03.28.01.12.42
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Mar 2024 01:12:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-122568-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@daynix-com.20230601.gappssmtp.com header.s=20230601 header.b=Sz3KYgQ7;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of linux-kernel+bounces-122568-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-122568-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 53C62299731
	for <linux.lists.archive@gmail.com>; Thu, 28 Mar 2024 08:12:42 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7447854907;
	Thu, 28 Mar 2024 08:12:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=daynix-com.20230601.gappssmtp.com header.i=@daynix-com.20230601.gappssmtp.com header.b="Sz3KYgQ7"
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C06B42A8B
	for <linux-kernel@vger.kernel.org>; Thu, 28 Mar 2024 08:12:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711613548; cv=none; b=ry04r24jC/S5aHYr+WY9GMUq5rPClk2NbSy2seTMHX8wpK4gdumTYP0i1DGXSfTmayIns7T3EuIvT6LikjAKwujJ2GEQTAUBG2/iVPxj4r/s3WUUuDkF3EQfBNgV33LpkuhlH7FqrZeiVl02FoiqMf220jiRQjev6wDFNmlu/Ms=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711613548; c=relaxed/simple;
	bh=gb6MKVyB1Z8XbC5BzK8Z2vs4Yz7PgGAmQ7D3YG5+8D4=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=G+BfOHscyuZ2igH05lxX3lzAcujyKp9h5soV+DHW9hRJ/a75037zWm/ByLXFgAwjO1UdRCPIaaAy6JNFc6v5b3sU2Nn0X6yytVpw+VfNIrUGuac92JrNlhbT4SOvPn42MfpEDkUZq/A84WxaZ3KdMcdit9s9pV8An2bwLWvXjE0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=daynix.com; spf=none smtp.mailfrom=daynix.com; dkim=pass (2048-bit key) header.d=daynix-com.20230601.gappssmtp.com header.i=@daynix-com.20230601.gappssmtp.com header.b=Sz3KYgQ7; arc=none smtp.client-ip=209.85.208.50
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=daynix.com
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=daynix.com
Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-56c2b4850d2so754435a12.2
        for <linux-kernel@vger.kernel.org>; Thu, 28 Mar 2024 01:12:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=daynix-com.20230601.gappssmtp.com; s=20230601; t=1711613545; x=1712218345; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=j7rvoFRBKxf0yE7YY8RQnWrAo8fviROdMGC4hs1RKLE=;
        b=Sz3KYgQ7g2JZNBQ1+wrfP7/MNRWdJ1TLoLN0kDTWwxQJns/xx7qtHS8+RHVteDUra1
         91PA8T1WqO8BM/9GPZlLWzwfwmKkqHAdhjUoDjvxes+GqDGjRuHpHXmbPp14286YGU8z
         xC1KHBeE2ww9fOnIpkNxzvuJ+8FvbOcIQawEJQzB3Kec7DoF1vzDpHMbusiLFhsNGGuy
         kmxeVBZ1Um/oZCoQDGxo+7m2pjFqCJHpeCOSz7YhpvR9BoukfdE/jYPdHP7L4IlBiBFR
         9hi8JY19fw9CzJmBUqI9UtcXg/tZcBnooD3FuKRbe8clRRwXYo74fguza3ngLXD9tJfQ
         faog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711613545; x=1712218345;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=j7rvoFRBKxf0yE7YY8RQnWrAo8fviROdMGC4hs1RKLE=;
        b=YDCc2DlaWI8NSzy3tKmq5WGerd8UZkxRSdkuQCEpHSwNHV7lKRlcp+i5MlSdS+Y4kY
         rGXhvXwRGP5N1ORCCqkCGqVUhsA32Qt0NRKkWDVSqSX75EEKsdzJAT2Ho7rfh0vrz/Kn
         mUuRDlcmbpZvJM40iNh9aSEV+rBwDuooSHSdf334O1vrFYEkHGu35wZbR7hRTzYa0bYd
         96KdVwDOtepo4H9V+XyXLAWI8DYXdpqMs+SFx7pv6GBa1wwF/5px/5xm7Ls5AgdCqQrf
         aSioaRfZw+ROYzBNxaoAY2PbbMjLs16huffbPNdUXBb02ORKW2Rtj5M5AHuKGKxJVxJQ
         blLw==
X-Forwarded-Encrypted: i=1; AJvYcCWWi59p8v8fQ33KWG3XIe3DRTRVbGz91PaZReaJhCrZk2F0AnoJY3UDfLU5VJP4K9BV+wNCwMGdX30at0Q9Xd2g3bWsLX/Ty551OKGp
X-Gm-Message-State: AOJu0Yw6boFoYJR2aiAExpvT9WOXR7cFn2NWIheKV1VSGaYhSsPeYhC1
	264Lffzma87oPrGEfmmSfdobkFSU81m/1s4X4YwuAaNlyhBnAKCdwXaoBnnRK/r+MQLtpUdCdLl
	GfAe+0vz1GDtbyJz/gbiuc0mwKuex2VooaiKVEw==
X-Received: by 2002:a50:c318:0:b0:56c:d64:26b2 with SMTP id
 a24-20020a50c318000000b0056c0d6426b2mr1397511edb.9.1711613544772; Thu, 28 Mar
 2024 01:12:24 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240327231826.1725488-1-andrew@daynix.com> <CACGkMEuW8jLvje0_oqCT=-ih9JEgxOrWRsvjvfwQXw=OWT_RtQ@mail.gmail.com>
In-Reply-To: <CACGkMEuW8jLvje0_oqCT=-ih9JEgxOrWRsvjvfwQXw=OWT_RtQ@mail.gmail.com>
From: Andrew Melnichenko <andrew@daynix.com>
Date: Thu, 28 Mar 2024 09:46:36 +0200
Message-ID: <CABcq3pFRookhQ8a8Sf9ri2ONOhHME9mXBMUZEOG1eGkJvAxQNw@mail.gmail.com>
Subject: Re: [PATCH v2 1/1] vhost: Added pad cleanup if vnet_hdr is not present.
To: Jason Wang <jasowang@redhat.com>
Cc: mst@redhat.com, ast@kernel.org, daniel@iogearbox.net, davem@davemloft.net, 
	kuba@kernel.org, hawk@kernel.org, john.fastabend@gmail.com, 
	kvm@vger.kernel.org, virtualization@lists.linux.dev, netdev@vger.kernel.org, 
	linux-kernel@vger.kernel.org, bpf@vger.kernel.org, 
	yuri.benditovich@daynix.com, yan@daynix.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks, I'll look into it.

On Thu, Mar 28, 2024 at 6:03=E2=80=AFAM Jason Wang <jasowang@redhat.com> wr=
ote:
>
> On Thu, Mar 28, 2024 at 7:44=E2=80=AFAM Andrew Melnychenko <andrew@daynix=
com> wrote:
> >
> > When the Qemu launched with vhost but without tap vnet_hdr,
> > vhost tries to copy vnet_hdr from socket iter with size 0
> > to the page that may contain some trash.
> > That trash can be interpreted as unpredictable values for
> > vnet_hdr.
> > That leads to dropping some packets and in some cases to
> > stalling vhost routine when the vhost_net tries to process
> > packets and fails in a loop.
> >
> > Qemu options:
> >   -netdev tap,vhost=3Don,vnet_hdr=3Doff,...
> >
> > From security point of view, wrong values on field used later
> > tap's tap_get_user_xdp() and will affect skb gso and options.
> > Later the header(and data in headroom) should not be used by the stack.
> > Using custom socket as a backend to vhost_net can reveal some data
> > in the vnet_hdr, although it would require kernel access to implement.
> >
> > The issue happens because the value of sock_len in virtqueue is 0.
> > That value is set at vhost_net_set_features() with
> > VHOST_NET_F_VIRTIO_NET_HDR, also it's set to zero at device open()
> > and reset() routine.
> > So, currently, to trigger the issue, we need to set up qemu with
> > vhost=3Don,vnet_hdr=3Doff, or do not configure vhost in the custom prog=
ram.
> >
> > Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
>
> Acked-by: Jason Wang <jasowang@redhat.com>
>
> It seems it has been merged by Michael.
>
> Thanks
>
> > ---
> >  drivers/vhost/net.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> > index f2ed7167c848..57411ac2d08b 100644
> > --- a/drivers/vhost/net.c
> > +++ b/drivers/vhost/net.c
> > @@ -735,6 +735,9 @@ static int vhost_net_build_xdp(struct vhost_net_vir=
tqueue *nvq,
> >         hdr =3D buf;
> >         gso =3D &hdr->gso;
> >
> > +       if (!sock_hlen)
> > +               memset(buf, 0, pad);
> > +
> >         if ((gso->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) &&
> >             vhost16_to_cpu(vq, gso->csum_start) +
> >             vhost16_to_cpu(vq, gso->csum_offset) + 2 >
> > --
> > 2.43.0
> >
>