[PATCHv3] virtio-net: correct packet length math

Message ID	20100624155407.GA11165@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> Date: Thu, 24 Jun 2010 18:54:07 +0300 From: "Michael S. Tsirkin" <mst@redhat.com> To: qemu-devel@nongnu.org, Juan Quintela <quintela@redhat.com>, Amit Shah <amit.shah@redhat.com>, alex.williamson@redhat.com Message-ID: <20100624155407.GA11165@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.19 (2009-01-05) Cc: Subject: [Qemu-devel] [PATCHv3] virtio-net: correct packet length math Precedence: list Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

20100624155407.GA11165@redhat.com

State

New

Headers

Date: Thu, 24 Jun 2010 18:54:07 +0300
From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org, Juan Quintela <quintela@redhat.com>,
	Amit Shah <amit.shah@redhat.com>, alex.williamson@redhat.com
Message-ID: <20100624155407.GA11165@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.19 (2009-01-05)
Cc: 
Subject: [Qemu-devel] [PATCHv3] virtio-net: correct packet length math
Precedence: list
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Michael S. Tsirkin June 24, 2010, 3:54 p.m. UTC

We were requesting too much when checking buffer
length: size already includes host header length.

Further, we should not exit if we get a packet that
is too long, since this might not be under control
of the guest. Just drop the packet.

Red Hat bz 591494

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

Changes from v2:
	fixed format warning.
Changes from v1:
	drop packet instead of exit.

 hw/virtio-net.c |   41 ++++++++++++++++++++++++++++-------------
 1 files changed, 28 insertions(+), 13 deletions(-)

Comments

Amit Shah June 25, 2010, 7:17 a.m. UTC | #1

On (Thu) Jun 24 2010 [18:54:07], Michael S. Tsirkin wrote:
> We were requesting too much when checking buffer
> length: size already includes host header length.
> 
> Further, we should not exit if we get a packet that
> is too long, since this might not be under control
> of the guest. Just drop the packet.

control of the host?

> @@ -579,19 +581,32 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
>                  mhdr = (struct virtio_net_hdr_mrg_rxbuf *)sg[0].iov_base;
>  
>              offset += receive_header(n, sg, elem.in_num,
> -                                     buf + offset, size - offset, hdr_len);
> -            total += hdr_len;
> +                                     buf + offset, size - offset, guest_hdr_len);
> +            total += guest_hdr_len;
>          }
>  
>          /* copy in packet.  ugh */
>          len = iov_from_buf(sg, elem.in_num,
>                             buf + offset, size - offset);
>          total += len;
> +        offset += len;
> +        /* If buffers can't be merged, at this point we
> +         * must have consumed the complete packet.
> +         * Otherwise, drop it. */
> +        if (!n->mergeable_rx_bufs && offset < size) {
> +#if 0
> +            fprintf(stderr, "virtio-net truncated non-mergeable packet: "
> +
> +                    "i %zd mergeable %d offset %zd, size %zd, "
> +                    "guest hdr len %zd, host hdr len %zd\n",
> +                    i, n->mergeable_rx_bufs,
> +                    offset, size, guest_hdr_len, host_hdr_len);
> +#endif
> +            return size;
> +        }

Before returning, won't you have to finish off the virtqueue operations
-- fill, flush, kick, etc.?

		Amit

Michael S. Tsirkin June 25, 2010, 10:58 a.m. UTC | #2

On Fri, Jun 25, 2010 at 12:47:03PM +0530, Amit Shah wrote:
> On (Thu) Jun 24 2010 [18:54:07], Michael S. Tsirkin wrote:
> > We were requesting too much when checking buffer
> > length: size already includes host header length.
> > 
> > Further, we should not exit if we get a packet that
> > is too long, since this might not be under control
> > of the guest. Just drop the packet.
> 
> control of the host?

Well, host too I guess. What I was trying to say, it might not
be the fault of the guest that it got a packet
that is too long.

> > @@ -579,19 +581,32 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
> >                  mhdr = (struct virtio_net_hdr_mrg_rxbuf *)sg[0].iov_base;
> >  
> >              offset += receive_header(n, sg, elem.in_num,
> > -                                     buf + offset, size - offset, hdr_len);
> > -            total += hdr_len;
> > +                                     buf + offset, size - offset, guest_hdr_len);
> > +            total += guest_hdr_len;
> >          }
> >  
> >          /* copy in packet.  ugh */
> >          len = iov_from_buf(sg, elem.in_num,
> >                             buf + offset, size - offset);
> >          total += len;
> > +        offset += len;
> > +        /* If buffers can't be merged, at this point we
> > +         * must have consumed the complete packet.
> > +         * Otherwise, drop it. */
> > +        if (!n->mergeable_rx_bufs && offset < size) {
> > +#if 0
> > +            fprintf(stderr, "virtio-net truncated non-mergeable packet: "
> > +
> > +                    "i %zd mergeable %d offset %zd, size %zd, "
> > +                    "guest hdr len %zd, host hdr len %zd\n",
> > +                    i, n->mergeable_rx_bufs,
> > +                    offset, size, guest_hdr_len, host_hdr_len);
> > +#endif
> > +            return size;
> > +        }
> 
> Before returning, won't you have to finish off the virtqueue operations
> -- fill, flush, kick, etc.?
> 
> 		Amit

No, this would consume a buffer. We just want to drop the packet
without side-effects. But we do need to decrement the inuse counter.
I'll respin the patch.

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 06ba481..1018c32 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -527,17 +527,18 @@  static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
 {
     VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
     struct virtio_net_hdr_mrg_rxbuf *mhdr = NULL;
-    size_t hdr_len, offset, i;
+    size_t guest_hdr_len, offset, i, host_hdr_len;
 
     if (!virtio_net_can_receive(&n->nic->nc))
         return -1;
 
     /* hdr_len refers to the header we supply to the guest */
-    hdr_len = n->mergeable_rx_bufs ?
+    guest_hdr_len = n->mergeable_rx_bufs ?
         sizeof(struct virtio_net_hdr_mrg_rxbuf) : sizeof(struct virtio_net_hdr);
 
 
-    if (!virtio_net_has_buffers(n, size + hdr_len))
+    host_hdr_len = n->has_vnet_hdr ? sizeof(struct virtio_net_hdr) : 0;
+    if (!virtio_net_has_buffers(n, size + guest_hdr_len - host_hdr_len))
         return 0;
 
     if (!receive_filter(n, buf, size))
@@ -552,13 +553,14 @@  static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
 
         total = 0;
 
-        if ((i != 0 && !n->mergeable_rx_bufs) ||
-            virtqueue_pop(n->rx_vq, &elem) == 0) {
+        if (virtqueue_pop(n->rx_vq, &elem) == 0) {
             if (i == 0)
                 return -1;
-            fprintf(stderr, "virtio-net truncating packet: "
-                    "offset %zd, size %zd, hdr_len %zd\n",
-                    offset, size, hdr_len);
+            fprintf(stderr, "virtio-net unexpected empty queue: "
+                    "i %zd mergeable %d offset %zd, size %zd, "
+                    "guest hdr len %zd, host hdr len %zd guest features 0x%x\n",
+                    i, n->mergeable_rx_bufs, offset, size,
+                    guest_hdr_len, host_hdr_len, n->vdev.guest_features);
             exit(1);
         }
 
@@ -567,7 +569,7 @@  static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
             exit(1);
         }
 
-        if (!n->mergeable_rx_bufs && elem.in_sg[0].iov_len != hdr_len) {
+        if (!n->mergeable_rx_bufs && elem.in_sg[0].iov_len != guest_hdr_len) {
             fprintf(stderr, "virtio-net header not in first element\n");
             exit(1);
         }
@@ -579,19 +581,32 @@  static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
                 mhdr = (struct virtio_net_hdr_mrg_rxbuf *)sg[0].iov_base;
 
             offset += receive_header(n, sg, elem.in_num,
-                                     buf + offset, size - offset, hdr_len);
-            total += hdr_len;
+                                     buf + offset, size - offset, guest_hdr_len);
+            total += guest_hdr_len;
         }
 
         /* copy in packet.  ugh */
         len = iov_from_buf(sg, elem.in_num,
                            buf + offset, size - offset);
         total += len;
+        offset += len;
+        /* If buffers can't be merged, at this point we
+         * must have consumed the complete packet.
+         * Otherwise, drop it. */
+        if (!n->mergeable_rx_bufs && offset < size) {
+#if 0
+            fprintf(stderr, "virtio-net truncated non-mergeable packet: "
+
+                    "i %zd mergeable %d offset %zd, size %zd, "
+                    "guest hdr len %zd, host hdr len %zd\n",
+                    i, n->mergeable_rx_bufs,
+                    offset, size, guest_hdr_len, host_hdr_len);
+#endif
+            return size;
+        }
 
         /* signal other side */
         virtqueue_fill(n->rx_vq, &elem, total, i++);
-
-        offset += len;
     }
 
     if (mhdr)

[PATCHv3] virtio-net: correct packet length math

Commit Message

Comments

Patch