From nobody Sat Feb 7 17:19:49 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C378C2DA765 for ; Fri, 24 Oct 2025 15:08:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761318499; cv=none; b=TcEvx9Nayi75ZzPL4zCK3MLhyVYc6IV7VLfTEO+5hAPcXUL9HT9vKX0zPs0WZghFyxYREkAzfF34DFCc/hKu9vPq3VCo6VVpHQaVkcRgUEKAS69zLv0ROXUqU8zPIrKUPo4VQQ7uI2MjnjfG5HpH1EJtjF0AygizgOj7xInKS+Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761318499; c=relaxed/simple; bh=Gg1nmF2BIwqahLlAKHrDdQElBJulqFj/VnBEXgD8/+M=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=YytsLMcPeKkYyTNe/ZCBSSNTjT9M+kf/I5ClGRz2T4lXBhgyRulfvAvaIAoKewDp1Qul5Fh81RbUU+fk598OEPw6ia6mcTyHPDY7qcExta/kvrIG+N2A7jlt2qqcuqcJHVBG4i0a4nab9Dq+HaAklqOYSthOKbXt1Fw50aoFovQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=EnAun89p; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="EnAun89p" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-339d7c4039aso2141249a91.0 for ; Fri, 24 Oct 2025 08:08:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761318497; x=1761923297; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=k5kuodqL1XE4BwxT+c9wdfrA/FtLyiL1+q+ub9Uk7uI=; b=EnAun89pyTrJgxUFpbSTXx5Ja0hCXY4VfC5cLjuy6BnooYgt3rzZQ7kLk68XB0izhd ye0SZYQEePaCpVdBz0NRQlTuPYv3diej4wK3hdnteLODYSQkmAtu8zzUl/z1YxGCD4sf WNQoA0c3NrWR5ZQ79via0RgcTn2n+GiBqLPRZ5uz+9dufaf/myzDtERHXCo3sB/79b0G AQ1ttweGxr2lVCF4t8scwINDrrhVaJ9/x7wMu2yEOx4l4LwSNRtaIvz0DjrvWz9qWUzU gIN8mGUyTwDyOeJ6Ew0MIOvERF41bIjcYKCHsA+3RjXWzSWVReIir15JX5EQ1S+VrJ65 8NUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761318497; x=1761923297; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=k5kuodqL1XE4BwxT+c9wdfrA/FtLyiL1+q+ub9Uk7uI=; b=v68FVAxX2oRznS5aB+lSbO+vwe5uDlglZkhKHYvcMOHz65KlYhFL8n0SHTPRUBO2It svEvkxFlBD/it0F/4NBbXFO9JPlUDlFjqIw1TMdwfgj3VwzrjX/uCQuolmChWdcBH0LI Z/oumNbNDwulSAC4AIOGFyY0nrlL/Z3x8y+uyyfzQ21JcMXaTDlVEJFTpsY4USwUDRKX txNhbr2dWUruIMegpCROFDhHlfyDG1URD9iF0MATLO6YLM9phQOoztScJ+MdNEcylkCN s4E9VYCOBCf1pRkvMFVfLwxTM68BNJQcKPwcOWEkGtL1jLZcKs6G/QoV/dlbOqP28qti 9PQQ== X-Forwarded-Encrypted: i=1; AJvYcCWLrRmby6rMojeWMyVQEYJz/A5GF5JkvqH7I5SBIEMHd4ylz7gy25BjJHLQneXRR4nWms2M095XMEqvLx4=@vger.kernel.org X-Gm-Message-State: AOJu0YxiCSVU5ivOTtL3YvxKXuOZ93bSLq0bCKgpTMAeeIxaVDF1t3Ec SyfU9Tr713ArzUgX66iZY9dMwo6w+qEGUX/fQPkS2GIyUTUzA1FBkCdH X-Gm-Gg: ASbGnctUWcZXSbh+VxfHFcAGIhix5jONpC5xaMMoXxkT9zIF6tU82NzPPVzX27LaG5O DWOClNgE/EhLQY0RweQMIYv73ihuwPa/sHqeNnn/1oE6vZktgIlB51CcObh+Fv/CusRz2NGSKct sCQKN2FzHcabyGUsL427RotTsJwznWNwYVtWX7iSZcUNHxJmy9KVQPdw690ZwAcMez0V6u+Wo9Z cjuKcvUe6pesJtdW7mKhj0iw31bwFXAEDJ89mnzBfQA0UNYTsovnCPTZb9lLbOy23GwjghLthXf jojF5ET9KWanfZLL3CT5zG5CMTqYsvfYwronCaXd/TpmZMRnrEJ42JxD/xR+2lHc9q4KmNjcPWd QroIIrouIXikLcnFf/qUNmGiSkkhp9NpUuCQHFP/Ndtr6yR/lkUixAnblFOVXMeUm3MkGVFmfFK 26namAurRLdKbVD0aGMyup7uxu X-Google-Smtp-Source: AGHT+IEIvsCPeZId5sB7KWJU1zEUO/VQOzw5rKKQ7D/ehXSXh4dGRIiEaa8KnJaPfgpC64pTh/Lipg== X-Received: by 2002:a17:90b:4f:b0:33b:bf8d:6172 with SMTP id 98e67ed59e1d1-33bcf92aae9mr35463946a91.34.1761318496553; Fri, 24 Oct 2025 08:08:16 -0700 (PDT) Received: from minh.192.168.1.1 ([2001:ee0:4f4c:210:4deb:2cfc:5afd:7727]) by smtp.googlemail.com with ESMTPSA id 98e67ed59e1d1-33dfb1db6aasm5934227a91.0.2025.10.24.08.08.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Oct 2025 08:08:16 -0700 (PDT) From: Bui Quang Minh To: netdev@vger.kernel.org Cc: "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , =?UTF-8?q?Eugenio=20P=C3=A9rez?= , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Gavin Li , Gavi Teitz , Parav Pandit , virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, Bui Quang Minh , stable@vger.kernel.org Subject: [PATCH net v5] virtio-net: fix received length check in big packets Date: Fri, 24 Oct 2025 22:06:49 +0700 Message-ID: <20251024150649.22906-1-minhquangbui99@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change. Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big pac= kets") Cc: stable@vger.kernel.org Signed-off-by: Bui Quang Minh --- Changes in v5: - Move the length check to receive_big - Link to v4: https://lore.kernel.org/netdev/20251022160623.51191-1-minhqua= ngbui99@gmail.com/ Changes in v4: - Remove unrelated changes, add more comments - Link to v3: https://lore.kernel.org/netdev/20251021154534.53045-1-minhqua= ngbui99@gmail.com/ Changes in v3: - Convert BUG_ON to WARN_ON_ONCE - Link to v2: https://lore.kernel.org/netdev/20250708144206.95091-1-minhqua= ngbui99@gmail.com/ Changes in v2: - Remove incorrect give_pages call - Link to v1: https://lore.kernel.org/netdev/20250706141150.25344-1-minhqua= ngbui99@gmail.com/ --- drivers/net/virtio_net.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index a757cbcab87f..2c3f544add5e 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -910,17 +910,6 @@ static struct sk_buff *page_to_skb(struct virtnet_info= *vi, goto ok; } =20 - /* - * Verify that we can indeed put this data into a skb. - * This is here to handle cases when the device erroneously - * tries to receive more than is possible. This is usually - * the case of a broken device. - */ - if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) { - net_dbg_ratelimited("%s: too much data\n", skb->dev->name); - dev_kfree_skb(skb); - return NULL; - } BUG_ON(offset >=3D PAGE_SIZE); while (len) { unsigned int frag_size =3D min((unsigned)PAGE_SIZE - offset, len); @@ -2107,9 +2096,19 @@ static struct sk_buff *receive_big(struct net_device= *dev, struct virtnet_rq_stats *stats) { struct page *page =3D buf; - struct sk_buff *skb =3D - page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); + struct sk_buff *skb; + + /* Make sure that len does not exceed the allocated size in + * add_recvbuf_big. + */ + if (unlikely(len > vi->big_packets_num_skbfrags * PAGE_SIZE)) { + pr_debug("%s: rx error: len %u exceeds allocate size %lu\n", + dev->name, len, + vi->big_packets_num_skbfrags * PAGE_SIZE); + goto err; + } =20 + skb =3D page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); u64_stats_add(&stats->bytes, len - vi->hdr_len); if (unlikely(!skb)) goto err; --=20 2.43.0