virtio declares support for NETIF_F_FRAGLIST, but assumes
that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
always true with a fraglist.
A longer fraglist in the skb will make the call to skb_to_sgvec overflow
the sg array, leading to memory corruption.
Drop NETIF_F_FRAGLIST so we only get what we can handle.
Cc: Michael S. Tsirkin <mst at redhat.com>
Signed-off-by: Jason Wang <jasowang at redhat.com>
---
The patch is needed for stable.
---
drivers/net/virtio_net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 7fbca37..2347a73 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device *vdev)
/* Do we support "hardware" checksums? */
if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) {
/* This opens up the world of extra features. */
- dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
+ dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG;
if (csum)
- dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST;
+ dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG;
if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) {
dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO
--
2.1.4
On Tue, Aug 04, 2015 at 05:55:45PM +0800, Jason Wang wrote:> virtio declares support for NETIF_F_FRAGLIST, but assumes > that there are at most MAX_SKB_FRAGS + 2 fragments which isn't > always true with a fraglist. > > A longer fraglist in the skb will make the call to skb_to_sgvec overflow > the sg array, leading to memory corruption. > > Drop NETIF_F_FRAGLIST so we only get what we can handle. > > Cc: Michael S. Tsirkin <mst at redhat.com> > Signed-off-by: Jason Wang <jasowang at redhat.com>Acked-by: Michael S. Tsirkin <mst at redhat.com> Especially important now that virtio_net: add gro capability was merged for net-next, making bridged setups create fraglists.> --- > The patch is needed for stable. > --- > drivers/net/virtio_net.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c > index 7fbca37..2347a73 100644 > --- a/drivers/net/virtio_net.c > +++ b/drivers/net/virtio_net.c > @@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device *vdev) > /* Do we support "hardware" checksums? */ > if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { > /* This opens up the world of extra features. */ > - dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; > + dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG; > if (csum) > - dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; > + dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG; > > if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { > dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO > -- > 2.1.4
Hello. On 8/4/2015 12:55 PM, Jason Wang wrote:> virtio declares support for NETIF_F_FRAGLIST, but assumes > that there are at most MAX_SKB_FRAGS + 2 fragments which isn't > always true with a fraglist.> A longer fraglist in the skb will make the call to skb_to_sgvec overflow > the sg array, leading to memory corruption.> Drop NETIF_F_FRAGLIST so we only get what we can handle.> Cc: Michael S. Tsirkin <mst at redhat.com> > Signed-off-by: Jason Wang <jasowang at redhat.com> > --- > The patch is needed for stable. > --- > drivers/net/virtio_net.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-)> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c > index 7fbca37..2347a73 100644 > --- a/drivers/net/virtio_net.c > +++ b/drivers/net/virtio_net.c > @@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device *vdev) > /* Do we support "hardware" checksums? */ > if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { > /* This opens up the world of extra features. */ > - dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; > + dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG; > if (csum) > - dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; > + dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG;I'd have added spaces around | to match the style seen below.> if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { > dev->hw_features |= NETIF_F_TSO | NETIF_F_UFOMBR, Sergei
On 08/04/2015 07:11 PM, Sergei Shtylyov wrote:> Hello. > > On 8/4/2015 12:55 PM, Jason Wang wrote: > >> virtio declares support for NETIF_F_FRAGLIST, but assumes >> that there are at most MAX_SKB_FRAGS + 2 fragments which isn't >> always true with a fraglist. > >> A longer fraglist in the skb will make the call to skb_to_sgvec overflow >> the sg array, leading to memory corruption. > >> Drop NETIF_F_FRAGLIST so we only get what we can handle. > >> Cc: Michael S. Tsirkin <mst at redhat.com> >> Signed-off-by: Jason Wang <jasowang at redhat.com> >> --- >> The patch is needed for stable. >> --- >> drivers/net/virtio_net.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c >> index 7fbca37..2347a73 100644 >> --- a/drivers/net/virtio_net.c >> +++ b/drivers/net/virtio_net.c >> @@ -1756,9 +1756,9 @@ static int virtnet_probe(struct virtio_device >> *vdev) >> /* Do we support "hardware" checksums? */ >> if (virtio_has_feature(vdev, VIRTIO_NET_F_CSUM)) { >> /* This opens up the world of extra features. */ >> - dev->hw_features |>> NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; >> + dev->hw_features |= NETIF_F_HW_CSUM|NETIF_F_SG; >> if (csum) >> - dev->features |>> NETIF_F_HW_CSUM|NETIF_F_SG|NETIF_F_FRAGLIST; >> + dev->features |= NETIF_F_HW_CSUM|NETIF_F_SG; > > I'd have added spaces around | to match the style seen below. >Ok, will fix this in V2.>> if (virtio_has_feature(vdev, VIRTIO_NET_F_GSO)) { >> dev->hw_features |= NETIF_F_TSO | NETIF_F_UFO > > MBR, Sergei >