Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one.
This commit fixes the received length check corresponding to the new change.
Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") Cc: stable@vger.kernel.org Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com --- Changes in v5: - Move the length check to receive_big - Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-minhquangbui99@gmail.c... Changes in v4: - Remove unrelated changes, add more comments - Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-minhquangbui99@gmail.c... Changes in v3: - Convert BUG_ON to WARN_ON_ONCE - Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-minhquangbui99@gmail.c... Changes in v2: - Remove incorrect give_pages call - Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-minhquangbui99@gmail.c... --- drivers/net/virtio_net.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..2c3f544add5e 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi, goto ok; }
- /* - * Verify that we can indeed put this data into a skb. - * This is here to handle cases when the device erroneously - * tries to receive more than is possible. This is usually - * the case of a broken device. - */ - if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) { - net_dbg_ratelimited("%s: too much data\n", skb->dev->name); - dev_kfree_skb(skb); - return NULL; - } BUG_ON(offset >= PAGE_SIZE); while (len) { unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len); @@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device *dev, struct virtnet_rq_stats *stats) { struct page *page = buf; - struct sk_buff *skb = - page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); + struct sk_buff *skb; + + /* Make sure that len does not exceed the allocated size in + * add_recvbuf_big. + */ + if (unlikely(len > vi->big_packets_num_skbfrags * PAGE_SIZE)) { + pr_debug("%s: rx error: len %u exceeds allocate size %lu\n", + dev->name, len, + vi->big_packets_num_skbfrags * PAGE_SIZE); + goto err; + }
+ skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); u64_stats_add(&stats->bytes, len - vi->hdr_len); if (unlikely(!skb)) goto err;
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 24 October 2025 08:37 PM
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi-
big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one.
This looks wrong. A device DMAed N bytes, and it reports N + M bytes in the completion? Such devices should be fixed.
If driver allocated X bytes, and device copied X + Y bytes on receive packet, it will crash the driver host anyway.
The fixes tag in this patch is incorrect because this is not a driver bug. It is just adding resiliency in driver for broken device. So driver cannot have fixes tag here.
This commit fixes the received length check corresponding to the new change.
Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") Cc: stable@vger.kernel.org Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com
Changes in v5:
- Move the length check to receive_big
- Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-
minhquangbui99@gmail.com/ Changes in v4:
- Remove unrelated changes, add more comments
- Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-
minhquangbui99@gmail.com/ Changes in v3:
- Convert BUG_ON to WARN_ON_ONCE
- Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-
minhquangbui99@gmail.com/ Changes in v2:
- Remove incorrect give_pages call
- Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-
minhquangbui99@gmail.com/
drivers/net/virtio_net.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..2c3f544add5e 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi, goto ok; }
- /*
* Verify that we can indeed put this data into a skb.* This is here to handle cases when the device erroneously* tries to receive more than is possible. This is usually* the case of a broken device.*/- if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) {
net_dbg_ratelimited("%s: too much data\n", skb->dev-name);
dev_kfree_skb(skb);return NULL;- } BUG_ON(offset >= PAGE_SIZE); while (len) { unsigned int frag_size = min((unsigned)PAGE_SIZE - offset,
len); @@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device *dev, struct virtnet_rq_stats *stats) { struct page *page = buf;
- struct sk_buff *skb =
page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0);
struct sk_buff *skb;
/* Make sure that len does not exceed the allocated size in
* add_recvbuf_big.*/if (unlikely(len > vi->big_packets_num_skbfrags * PAGE_SIZE)) {
pr_debug("%s: rx error: len %u exceeds allocate size %lu\n",dev->name, len,vi->big_packets_num_skbfrags * PAGE_SIZE);goto err;}
skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); u64_stats_add(&stats->bytes, len - vi->hdr_len); if (unlikely(!skb)) goto err;
-- 2.43.0
On 10/25/25 14:11, Parav Pandit wrote:
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 24 October 2025 08:37 PM
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi-
big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one.
This looks wrong. A device DMAed N bytes, and it reports N + M bytes in the completion? Such devices should be fixed.
If driver allocated X bytes, and device copied X + Y bytes on receive packet, it will crash the driver host anyway.
The fixes tag in this patch is incorrect because this is not a driver bug. It is just adding resiliency in driver for broken device. So driver cannot have fixes tag here.
Yes, I agree that the check is a protection against broken device.
The check is already there before this commit, but it is not correct since the changes in commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"). So this patch fixes the check corresponding to the new change. I think this is a valid use of Fixes tag.
Thanks, Quang Minh.
This commit fixes the received length check corresponding to the new change.
Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") Cc: stable@vger.kernel.org Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com
Changes in v5:
- Move the length check to receive_big
- Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-
minhquangbui99@gmail.com/ Changes in v4:
- Remove unrelated changes, add more comments
- Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-
minhquangbui99@gmail.com/ Changes in v3:
- Convert BUG_ON to WARN_ON_ONCE
- Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-
minhquangbui99@gmail.com/ Changes in v2:
- Remove incorrect give_pages call
- Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-
minhquangbui99@gmail.com/
drivers/net/virtio_net.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..2c3f544add5e 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi, goto ok; }
- /*
* Verify that we can indeed put this data into a skb.* This is here to handle cases when the device erroneously* tries to receive more than is possible. This is usually* the case of a broken device.*/- if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) {
net_dbg_ratelimited("%s: too much data\n", skb->dev-name);
dev_kfree_skb(skb);return NULL;- } BUG_ON(offset >= PAGE_SIZE); while (len) { unsigned int frag_size = min((unsigned)PAGE_SIZE - offset,
len); @@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device *dev, struct virtnet_rq_stats *stats) { struct page *page = buf;
- struct sk_buff *skb =
page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0);
struct sk_buff *skb;
/* Make sure that len does not exceed the allocated size in
* add_recvbuf_big.*/if (unlikely(len > vi->big_packets_num_skbfrags * PAGE_SIZE)) {
pr_debug("%s: rx error: len %u exceeds allocate size %lu\n",dev->name, len,vi->big_packets_num_skbfrags * PAGE_SIZE);goto err;}
skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); u64_stats_add(&stats->bytes, len - vi->hdr_len); if (unlikely(!skb)) goto err;
-- 2.43.0
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 27 October 2025 08:19 PM
On 10/25/25 14:11, Parav Pandit wrote:
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 24 October 2025 08:37 PM
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi-
big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is
larger than the allocated one.
This looks wrong. A device DMAed N bytes, and it reports N + M bytes in the completion? Such devices should be fixed.
If driver allocated X bytes, and device copied X + Y bytes on receive packet, it
will crash the driver host anyway.
The fixes tag in this patch is incorrect because this is not a driver bug. It is just adding resiliency in driver for broken device. So driver cannot have
fixes tag here.
Yes, I agree that the check is a protection against broken device.
The check is already there before this commit, but it is not correct since the changes in commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"). So this patch fixes the check corresponding to the new change. I think this is a valid use of Fixes tag.
I am missing something. If you don’t have the broken device, what part if wrong in the patch which needs fixes tag?
On 10/27/25 21:55, Parav Pandit wrote:
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 27 October 2025 08:19 PM
On 10/25/25 14:11, Parav Pandit wrote:
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 24 October 2025 08:37 PM
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi-
big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is
larger than the allocated one.
This looks wrong. A device DMAed N bytes, and it reports N + M bytes in the completion? Such devices should be fixed.
If driver allocated X bytes, and device copied X + Y bytes on receive packet, it
will crash the driver host anyway.
The fixes tag in this patch is incorrect because this is not a driver bug. It is just adding resiliency in driver for broken device. So driver cannot have
fixes tag here.
Yes, I agree that the check is a protection against broken device.
The check is already there before this commit, but it is not correct since the changes in commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"). So this patch fixes the check corresponding to the new change. I think this is a valid use of Fixes tag.
I am missing something. If you don’t have the broken device, what part if wrong in the patch which needs fixes tag?
The host can load the own vhost_net driver and sends the incorrect length. IMHO, it's good to sanity check the received input.
The check
if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) goto err;
is wrong because the allocated buffer is (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE not MAX_SKB_FRAGS * PAGE_SIZE anymore. vi->big_packets_num_skbfrags depends on the negotiated mtu between host and guest when guest_gso is off as in function virtnet_set_big_packets.
Thanks, Quang Minh.
From: Bui Quang Minh minhquangbui99@gmail.com Sent: 27 October 2025 08:36 PM
[..]
The check is already there before this commit, but it is not correct since the changes in commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"). So this patch fixes the check corresponding to the new change. I think this is a valid use of Fixes tag.
I am missing something. If you don’t have the broken device, what part if wrong in the patch which
needs fixes tag?
The host can load the own vhost_net driver and sends the incorrect length. IMHO, it's good to sanity check the received input.
The check
if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) goto err;
is wrong because the allocated buffer is (vi->big_packets_num_skbfrags +
- PAGE_SIZE not MAX_SKB_FRAGS * PAGE_SIZE anymore.
vi->big_packets_num_skbfrags depends on the negotiated mtu between host and guest when guest_gso is off as in function virtnet_set_big_packets.
Thanks, Quang Minh.
Got it. Yes, listed commit missed to consider length check here based on the mtu. Thanks.
On Fri, 24 Oct 2025 22:06:49 +0700, Bui Quang Minh minhquangbui99@gmail.com wrote:
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one.
This commit fixes the received length check corresponding to the new change.
Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") Cc: stable@vger.kernel.org Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com
Changes in v5:
- Move the length check to receive_big
- Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-minhquangbui99@gmail.c...
Changes in v4:
- Remove unrelated changes, add more comments
- Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-minhquangbui99@gmail.c...
Changes in v3:
- Convert BUG_ON to WARN_ON_ONCE
- Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-minhquangbui99@gmail.c...
Changes in v2:
- Remove incorrect give_pages call
- Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-minhquangbui99@gmail.c...
drivers/net/virtio_net.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..2c3f544add5e 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi, goto ok; }
- /*
* Verify that we can indeed put this data into a skb.* This is here to handle cases when the device erroneously* tries to receive more than is possible. This is usually* the case of a broken device.*/- if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) {
net_dbg_ratelimited("%s: too much data\n", skb->dev->name);dev_kfree_skb(skb);return NULL;- } BUG_ON(offset >= PAGE_SIZE); while (len) { unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len);
@@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device *dev, struct virtnet_rq_stats *stats) { struct page *page = buf;
- struct sk_buff *skb =
page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0);
- struct sk_buff *skb;
- /* Make sure that len does not exceed the allocated size in
* add_recvbuf_big.*/- if (unlikely(len > vi->big_packets_num_skbfrags * PAGE_SIZE)) {
I think should be:
if (unlikely(len > (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE)) {
Thanks
pr_debug("%s: rx error: len %u exceeds allocate size %lu\n",dev->name, len,vi->big_packets_num_skbfrags * PAGE_SIZE);goto err;}
skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); u64_stats_add(&stats->bytes, len - vi->hdr_len); if (unlikely(!skb)) goto err;
-- 2.43.0
On 10/27/25 08:10, Xuan Zhuo wrote:
On Fri, 24 Oct 2025 22:06:49 +0700, Bui Quang Minh minhquangbui99@gmail.com wrote:
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one.
This commit fixes the received length check corresponding to the new change.
Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") Cc: stable@vger.kernel.org Signed-off-by: Bui Quang Minh minhquangbui99@gmail.com
Changes in v5:
- Move the length check to receive_big
- Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-minhquangbui99@gmail.c...
Changes in v4:
- Remove unrelated changes, add more comments
- Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-minhquangbui99@gmail.c...
Changes in v3:
- Convert BUG_ON to WARN_ON_ONCE
- Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-minhquangbui99@gmail.c...
Changes in v2:
- Remove incorrect give_pages call
- Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-minhquangbui99@gmail.c...
drivers/net/virtio_net.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..2c3f544add5e 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi, goto ok; }
- /*
* Verify that we can indeed put this data into a skb.* This is here to handle cases when the device erroneously* tries to receive more than is possible. This is usually* the case of a broken device.*/- if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) {
net_dbg_ratelimited("%s: too much data\n", skb->dev->name);dev_kfree_skb(skb);return NULL;- } BUG_ON(offset >= PAGE_SIZE); while (len) { unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len);
@@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device *dev, struct virtnet_rq_stats *stats) { struct page *page = buf;
- struct sk_buff *skb =
page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0);
- struct sk_buff *skb;
- /* Make sure that len does not exceed the allocated size in
* add_recvbuf_big.*/- if (unlikely(len > vi->big_packets_num_skbfrags * PAGE_SIZE)) {
I think should be:
if (unlikely(len > (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE)) {
Thanks
Sorry, my mistake. I'll fix it.
Thanks, Quang Minh.
pr_debug("%s: rx error: len %u exceeds allocate size %lu\n",dev->name, len,vi->big_packets_num_skbfrags * PAGE_SIZE);goto err;}
skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); u64_stats_add(&stats->bytes, len - vi->hdr_len); if (unlikely(!skb)) goto err;
-- 2.43.0
linux-stable-mirror@lists.linaro.org
-
Bui Quang Minh -
Parav Pandit -
Xuan Zhuo