Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-CC: pkg-dpdk-devel@lists.alioth.debian.org Dear release team, We would like to upload a new LTS release version of DPDK to Stretch. We have already done this previously, and it was approved, for 16.11.4 [1] and 16.11.6 [2] and 16.11.8 [3] and 16.11.9 [4], therefore I already proceeded to upload to stretch-pu in accordance with the new workflow. As before, the LTS point release has only bug fixes and no API changes and has been tested with regression tests. The source debdiff is attached. Patches merged upstream have been dropped. This release has only one bug fix, which fixes a regression introduced by the fix for CVE-2019-14818 released on Tuesday via stretch-security. -- Kind regards, Luca Boccassi [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884711 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896689 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907584 [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925154
diff -Nru dpdk-16.11.9/debian/changelog dpdk-16.11.11/debian/changelog
--- dpdk-16.11.9/debian/changelog 2019-11-12 11:15:47.000000000 +0000
+++ dpdk-16.11.11/debian/changelog 2019-11-15 14:15:07.000000000 +0000
@@ -1,3 +1,13 @@
+dpdk (16.11.11-1+deb9u1) stretch; urgency=medium
+
+ * New upstream version 16.11.11
+ * https://mails.dpdk.org/archives/announce/2019-November/000297.html
+ * Fixes CVE-2019-14818
+ * Fixes vhost regression introduced by 16.11.10 and CVE fix
+ * Drop patches merged in 16.11.10
+
+ -- Luca Boccassi <bluca@debian.org> Fri, 15 Nov 2019 14:15:07 +0000
+
dpdk (16.11.9-1+deb9u2) stretch-security; urgency=high
* Backport patches to fix CVE-2019-14818. A denial of service security
diff -Nru dpdk-16.11.9/debian/patches/0001-vhost-validate-virtqueue-size.patch dpdk-16.11.11/debian/patches/0001-vhost-validate-virtqueue-size.patch
--- dpdk-16.11.9/debian/patches/0001-vhost-validate-virtqueue-size.patch 2019-11-12 11:14:06.000000000 +0000
+++ dpdk-16.11.11/debian/patches/0001-vhost-validate-virtqueue-size.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,43 +0,0 @@
-From 5fbb5c2919b6aecc98264528064e96f3dbb43e71 Mon Sep 17 00:00:00 2001
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Mon, 5 Feb 2018 13:16:00 +0100
-Subject: [PATCH 1/4] vhost: validate virtqueue size
-
-[ backported from upstream commit eb7c574b21cc92792ea5a1f219ddf6dd3cf3b1e1 ]
-
-Check the virtqueue size constraints so that invalid values don't cause
-bugs later on in the code. For example, sometimes the virtqueue size is
-stored as unsigned int and sometimes as uint16_t, so bad things happen
-if it is ever larger than 65535.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
----
- lib/librte_vhost/vhost_user.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index 618d413fe1..8a01c295e7 100644
---- a/lib/librte_vhost/vhost_user.c
-+++ b/lib/librte_vhost/vhost_user.c
-@@ -189,6 +189,17 @@ vhost_user_set_vring_num(struct virtio_net *dev,
-
- vq->size = state->num;
-
-+ /* VIRTIO 1.0, 2.4 Virtqueues says:
-+ *
-+ * Queue Size value is always a power of 2. The maximum Queue Size
-+ * value is 32768.
-+ */
-+ if ((vq->size & (vq->size - 1)) || vq->size > 32768) {
-+ RTE_LOG(ERR, VHOST_CONFIG,
-+ "invalid virtqueue size %u\n", vq->size);
-+ return -1;
-+ }
-+
- if (dev->dequeue_zero_copy) {
- vq->nr_zmbuf = 0;
- vq->last_zmbuf_idx = 0;
---
-2.20.1
-
diff -Nru dpdk-16.11.9/debian/patches/0002-vhost-add-number-of-fds-to-vhost-user-messages.patch dpdk-16.11.11/debian/patches/0002-vhost-add-number-of-fds-to-vhost-user-messages.patch
--- dpdk-16.11.9/debian/patches/0002-vhost-add-number-of-fds-to-vhost-user-messages.patch 2019-11-12 11:14:06.000000000 +0000
+++ dpdk-16.11.11/debian/patches/0002-vhost-add-number-of-fds-to-vhost-user-messages.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,112 +0,0 @@
-From 3863340f93b8d3e32cc9c2b048765b2855f701c5 Mon Sep 17 00:00:00 2001
-From: Maxime Coquelin <maxime.coquelin@redhat.com>
-Date: Fri, 12 Oct 2018 14:40:35 +0200
-Subject: [PATCH 2/4] vhost: add number of fds to vhost-user messages
-
-As soon as some ancillary data (fds) are received, it is copied
-without checking its length.
-
-This patch adds the number of fds received to the message,
-which is set in read_vhost_message().
-
-This is preliminary work to support sending fds to Qemu.
-
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
-(cherry picked from commit c00bb88d35fe975ede0ea35bdf4f765a2cece7e8)
-Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
----
- lib/librte_vhost/socket.c | 22 +++++++++++++++++-----
- lib/librte_vhost/vhost_user.c | 2 +-
- lib/librte_vhost/vhost_user.h | 4 +++-
- 3 files changed, 21 insertions(+), 7 deletions(-)
-
-diff --git a/lib/librte_vhost/socket.c b/lib/librte_vhost/socket.c
-index 805b2e5b23..4a19280fb3 100644
---- a/lib/librte_vhost/socket.c
-+++ b/lib/librte_vhost/socket.c
-@@ -101,17 +101,23 @@ static struct vhost_user vhost_user = {
- .mutex = PTHREAD_MUTEX_INITIALIZER,
- };
-
--/* return bytes# of read on success or negative val on failure. */
-+/*
-+ * return bytes# of read on success or negative val on failure. Update fdnum
-+ * with number of fds read.
-+ */
- int
--read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num)
-+read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds,
-+ int *fd_num)
- {
- struct iovec iov;
- struct msghdr msgh;
-- size_t fdsize = fd_num * sizeof(int);
-- char control[CMSG_SPACE(fdsize)];
-+ char control[CMSG_SPACE(max_fds * sizeof(int))];
- struct cmsghdr *cmsg;
-+ int got_fds = 0;
- int ret;
-
-+ *fd_num = 0;
-+
- memset(&msgh, 0, sizeof(msgh));
- iov.iov_base = buf;
- iov.iov_len = buflen;
-@@ -136,11 +142,17 @@ read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num)
- cmsg = CMSG_NXTHDR(&msgh, cmsg)) {
- if ((cmsg->cmsg_level == SOL_SOCKET) &&
- (cmsg->cmsg_type == SCM_RIGHTS)) {
-- memcpy(fds, CMSG_DATA(cmsg), fdsize);
-+ got_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
-+ *fd_num = got_fds;
-+ memcpy(fds, CMSG_DATA(cmsg), got_fds * sizeof(int));
- break;
- }
- }
-
-+ /* Clear out unused file descriptors */
-+ while (got_fds < max_fds)
-+ fds[got_fds++] = -1;
-+
- return ret;
- }
-
-diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index 8a01c295e7..b8f6a9fba5 100644
---- a/lib/librte_vhost/vhost_user.c
-+++ b/lib/librte_vhost/vhost_user.c
-@@ -963,7 +963,7 @@ read_vhost_message(int sockfd, struct VhostUserMsg *msg)
- int ret;
-
- ret = read_fd_message(sockfd, (char *)msg, VHOST_USER_HDR_SIZE,
-- msg->fds, VHOST_MEMORY_MAX_NREGIONS);
-+ msg->fds, VHOST_MEMORY_MAX_NREGIONS, &msg->fd_num);
- if (ret <= 0)
- return ret;
-
-diff --git a/lib/librte_vhost/vhost_user.h b/lib/librte_vhost/vhost_user.h
-index ba78d32684..ea9d304f82 100644
---- a/lib/librte_vhost/vhost_user.h
-+++ b/lib/librte_vhost/vhost_user.h
-@@ -110,6 +110,7 @@ typedef struct VhostUserMsg {
- VhostUserLog log;
- } payload;
- int fds[VHOST_MEMORY_MAX_NREGIONS];
-+ int fd_num;
- } __attribute((packed)) VhostUserMsg;
-
- #define VHOST_USER_HDR_SIZE offsetof(VhostUserMsg, payload.u64)
-@@ -122,7 +123,8 @@ typedef struct VhostUserMsg {
- int vhost_user_msg_handler(int vid, int fd);
-
- /* socket.c */
--int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num);
-+int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds,
-+ int *fd_num);
- int send_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num);
-
- #endif
---
-2.20.1
-
diff -Nru dpdk-16.11.9/debian/patches/0003-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch dpdk-16.11.11/debian/patches/0003-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch
--- dpdk-16.11.9/debian/patches/0003-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch 2019-11-12 11:14:06.000000000 +0000
+++ dpdk-16.11.11/debian/patches/0003-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,47 +0,0 @@
-From 8790f4c3bcd2450061e7f99e6ec3ef62f5cd5b78 Mon Sep 17 00:00:00 2001
-From: Maxime Coquelin <maxime.coquelin@redhat.com>
-Date: Fri, 23 Aug 2019 15:17:05 +0200
-Subject: [PATCH 3/4] vhost: fix possible denial of service on SET_VRING_NUM
-
-vhost_user_set_vring_num() performs multiple allocations
-without checking whether data were previously allocated.
-
-It may cause a denial of service because of the memory leaks
-that happen if a malicious vhost-user master keeps sending
-VHOST_USER_SET_VRING_NUM request until the slave runs out
-of memory.
-
-This issue has been assigned CVE-2019-14818
-
-Reported-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
----
- lib/librte_vhost/vhost_user.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index b8f6a9fba5..cebc72f78f 100644
---- a/lib/librte_vhost/vhost_user.c
-+++ b/lib/librte_vhost/vhost_user.c
-@@ -204,6 +204,8 @@ vhost_user_set_vring_num(struct virtio_net *dev,
- vq->nr_zmbuf = 0;
- vq->last_zmbuf_idx = 0;
- vq->zmbuf_size = vq->size;
-+ if (vq->zmbufs)
-+ rte_free(vq->zmbufs);
- vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size *
- sizeof(struct zcopy_mbuf), 0);
- if (vq->zmbufs == NULL) {
-@@ -213,7 +215,8 @@ vhost_user_set_vring_num(struct virtio_net *dev,
- dev->dequeue_zero_copy = 0;
- }
- }
--
-+ if (vq->shadow_used_ring)
-+ rte_free(vq->shadow_used_ring);
- vq->shadow_used_ring = rte_malloc(NULL,
- vq->size * sizeof(struct vring_used_elem),
- RTE_CACHE_LINE_SIZE);
---
-2.20.1
-
diff -Nru dpdk-16.11.9/debian/patches/0004-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch dpdk-16.11.11/debian/patches/0004-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch
--- dpdk-16.11.9/debian/patches/0004-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch 2019-11-12 11:14:06.000000000 +0000
+++ dpdk-16.11.11/debian/patches/0004-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,207 +0,0 @@
-From 1bf11cfb7c7c7e0723fbcefaeb57fa742d06d769 Mon Sep 17 00:00:00 2001
-From: Maxime Coquelin <maxime.coquelin@redhat.com>
-Date: Tue, 3 Sep 2019 17:34:22 +0200
-Subject: [PATCH 4/4] vhost: fix possible denial of service by leaking FDs
-
-A malicious Vhost-user master could send in loop hand-crafted
-vhost-user messages containing more file descriptors the
-vhost-user slave expects. Doing so causes the application using
-the vhost-user library to run out of FDs.
-
-This issue has been assigned CVE-2019-14818
-
-Fixes: 8f972312b8f4 ("vhost: support vhost-user")
-
-Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
----
- lib/librte_vhost/vhost_user.c | 87 +++++++++++++++++++++++++++++++++++
- 1 file changed, 87 insertions(+)
-
-diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
-index cebc72f78f..a6ab131543 100644
---- a/lib/librte_vhost/vhost_user.c
-+++ b/lib/librte_vhost/vhost_user.c
-@@ -75,6 +75,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] = {
- [VHOST_USER_SEND_RARP] = "VHOST_USER_SEND_RARP",
- };
-
-+static void
-+close_msg_fds(struct VhostUserMsg *msg)
-+{
-+ int i;
-+
-+ for (i = 0; i < msg->fd_num; i++)
-+ close(msg->fds[i]);
-+}
-+
-+/*
-+ * Ensure the expected number of FDs is received,
-+ * close all FDs and return an error if this is not the case.
-+ */
-+static int
-+validate_msg_fds(struct VhostUserMsg *msg, int expected_fds)
-+{
-+ if (msg->fd_num == expected_fds)
-+ return 0;
-+
-+ RTE_LOG(ERR, VHOST_CONFIG,
-+ " Expect %d FDs for request %s, received %d\n",
-+ expected_fds,
-+ vhost_message_str[msg->request],
-+ msg->fd_num);
-+
-+ close_msg_fds(msg);
-+
-+ return -1;
-+}
-+
- static uint64_t
- get_blk_size(int fd)
- {
-@@ -1104,35 +1134,59 @@ vhost_user_msg_handler(int vid, int fd)
- ret = 0;
- switch (msg.request) {
- case VHOST_USER_GET_FEATURES:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- msg.payload.u64 = vhost_user_get_features();
- msg.size = sizeof(msg.payload.u64);
- send_vhost_message(fd, &msg);
- break;
- case VHOST_USER_SET_FEATURES:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_features(dev, msg.payload.u64);
- break;
-
- case VHOST_USER_GET_PROTOCOL_FEATURES:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- msg.payload.u64 = VHOST_USER_PROTOCOL_FEATURES;
- msg.size = sizeof(msg.payload.u64);
- send_vhost_message(fd, &msg);
- break;
- case VHOST_USER_SET_PROTOCOL_FEATURES:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_protocol_features(dev, msg.payload.u64);
- break;
-
- case VHOST_USER_SET_OWNER:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_owner();
- break;
- case VHOST_USER_RESET_OWNER:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_reset_owner(dev);
- break;
-
- case VHOST_USER_SET_MEM_TABLE:
-+ if (validate_msg_fds(&msg, msg.payload.memory.nregions) != 0)
-+ return -1;
-+
- vhost_user_set_mem_table(dev, &msg);
- break;
-
- case VHOST_USER_SET_LOG_BASE:
-+ if (validate_msg_fds(&msg, 1) != 0)
-+ return -1;
-+
- ret = vhost_user_set_log_base(dev, &msg);
- if (ret)
- break;
-@@ -1144,21 +1198,36 @@ vhost_user_msg_handler(int vid, int fd)
- send_vhost_message(fd, &msg);
- break;
- case VHOST_USER_SET_LOG_FD:
-+ if (validate_msg_fds(&msg, 1) != 0)
-+ return -1;
-+
- close(msg.fds[0]);
- RTE_LOG(INFO, VHOST_CONFIG, "not implemented.\n");
- break;
-
- case VHOST_USER_SET_VRING_NUM:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_vring_num(dev, &msg.payload.state);
- break;
- case VHOST_USER_SET_VRING_ADDR:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_vring_addr(&dev, &msg.payload.addr);
- break;
- case VHOST_USER_SET_VRING_BASE:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_vring_base(dev, &msg.payload.state);
- break;
-
- case VHOST_USER_GET_VRING_BASE:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_get_vring_base(dev, &msg.payload.state);
- if (ret)
- break;
-@@ -1167,28 +1236,46 @@ vhost_user_msg_handler(int vid, int fd)
- break;
-
- case VHOST_USER_SET_VRING_KICK:
-+ if (validate_msg_fds(&msg, 1) != 0)
-+ return -1;
-+
- ret = vhost_user_set_vring_kick(dev, &msg);
- break;
- case VHOST_USER_SET_VRING_CALL:
-+ if (validate_msg_fds(&msg, 1) != 0)
-+ return -1;
-+
- vhost_user_set_vring_call(dev, &msg);
- break;
-
- case VHOST_USER_SET_VRING_ERR:
-+ if (validate_msg_fds(&msg, 1) != 0)
-+ return -1;
-+
- if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK))
- close(msg.fds[0]);
- RTE_LOG(INFO, VHOST_CONFIG, "not implemented\n");
- break;
-
- case VHOST_USER_GET_QUEUE_NUM:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- msg.payload.u64 = VHOST_MAX_QUEUE_PAIRS;
- msg.size = sizeof(msg.payload.u64);
- send_vhost_message(fd, &msg);
- break;
-
- case VHOST_USER_SET_VRING_ENABLE:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_set_vring_enable(dev, &msg.payload.state);
- break;
- case VHOST_USER_SEND_RARP:
-+ if (validate_msg_fds(&msg, 0) != 0)
-+ return -1;
-+
- ret = vhost_user_send_rarp(dev, &msg);
- break;
-
---
-2.20.1
-
diff -Nru dpdk-16.11.9/debian/patches/series dpdk-16.11.11/debian/patches/series
--- dpdk-16.11.9/debian/patches/series 2019-11-12 11:14:53.000000000 +0000
+++ dpdk-16.11.11/debian/patches/series 2019-11-15 14:14:27.000000000 +0000
@@ -1,6 +1,2 @@
fix-vhost-user-socket-permission.patch
fix-power-default-config.patch
-0001-vhost-validate-virtqueue-size.patch
-0002-vhost-add-number-of-fds-to-vhost-user-messages.patch
-0003-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch
-0004-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch
diff -Nru dpdk-16.11.9/doc/guides/rel_notes/release_16_11.rst dpdk-16.11.11/doc/guides/rel_notes/release_16_11.rst
--- dpdk-16.11.9/doc/guides/rel_notes/release_16_11.rst 2019-03-19 13:22:31.000000000 +0000
+++ dpdk-16.11.11/doc/guides/rel_notes/release_16_11.rst 2019-11-15 13:53:48.000000000 +0000
@@ -1480,3 +1480,36 @@
* vhost: remove unneeded null pointer check
* vhost-user: drop connection on message handling failures
* vhost-user: fix false negative in handling user messages
+
+16.11.10 Release Notes
+----------------------
+
+16.11.10 Fixes
+~~~~~~~~~~~~~~
+
+* vhost: validate virtqueue size
+* vhost: add number of fds to vhost-user messages
+* vhost: fix possible denial of service by leaking FDs - CVE-2019-14818
+* vhost: fix possible denial of service on SET_VRING_NUM - CVE-2019-14818
+
+16.11.10 Validation
+~~~~~~~~~~~~~~~~~~~
+
+* Tested with two testpmd instances, one with Vhost PMD, the other with Virtio-user
+ PMD. Intialization goes well, and packets flow.
+
+16.11.11 Release Notes
+----------------------
+
+16.11.11 Fixes
+~~~~~~~~~~~~~~
+
+* vhost: fix vring requests validation broken if no FD
+
+16.11.11 Validation
+~~~~~~~~~~~~~~~~~~~
+
+* virtio/vhost regression tests by Intel:
+ * http://doc.dpdk.org/dts/test_plans/virtio_pvp_regression_test_plan.html
+ * http://doc.dpdk.org/dts/test_plans/vhost_dequeue_zero_copy_test_plan.html
+ * http://doc.dpdk.org/dts/test_plans/vm2vm_virtio_pmd_test_plan.html
diff -Nru dpdk-16.11.9/lib/librte_eal/common/include/rte_version.h dpdk-16.11.11/lib/librte_eal/common/include/rte_version.h
--- dpdk-16.11.9/lib/librte_eal/common/include/rte_version.h 2019-03-19 13:22:31.000000000 +0000
+++ dpdk-16.11.11/lib/librte_eal/common/include/rte_version.h 2019-11-15 13:53:48.000000000 +0000
@@ -66,7 +66,7 @@
/**
* Patch level number i.e. the z in yy.mm.z
*/
-#define RTE_VER_MINOR 9
+#define RTE_VER_MINOR 11
/**
* Extra string to be appended to version number
diff -Nru dpdk-16.11.9/lib/librte_vhost/socket.c dpdk-16.11.11/lib/librte_vhost/socket.c
--- dpdk-16.11.9/lib/librte_vhost/socket.c 2019-03-19 13:22:31.000000000 +0000
+++ dpdk-16.11.11/lib/librte_vhost/socket.c 2019-11-15 13:53:48.000000000 +0000
@@ -101,17 +101,23 @@
.mutex = PTHREAD_MUTEX_INITIALIZER,
};
-/* return bytes# of read on success or negative val on failure. */
+/*
+ * return bytes# of read on success or negative val on failure. Update fdnum
+ * with number of fds read.
+ */
int
-read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num)
+read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds,
+ int *fd_num)
{
struct iovec iov;
struct msghdr msgh;
- size_t fdsize = fd_num * sizeof(int);
- char control[CMSG_SPACE(fdsize)];
+ char control[CMSG_SPACE(max_fds * sizeof(int))];
struct cmsghdr *cmsg;
+ int got_fds = 0;
int ret;
+ *fd_num = 0;
+
memset(&msgh, 0, sizeof(msgh));
iov.iov_base = buf;
iov.iov_len = buflen;
@@ -136,11 +142,17 @@
cmsg = CMSG_NXTHDR(&msgh, cmsg)) {
if ((cmsg->cmsg_level == SOL_SOCKET) &&
(cmsg->cmsg_type == SCM_RIGHTS)) {
- memcpy(fds, CMSG_DATA(cmsg), fdsize);
+ got_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
+ *fd_num = got_fds;
+ memcpy(fds, CMSG_DATA(cmsg), got_fds * sizeof(int));
break;
}
}
+ /* Clear out unused file descriptors */
+ while (got_fds < max_fds)
+ fds[got_fds++] = -1;
+
return ret;
}
diff -Nru dpdk-16.11.9/lib/librte_vhost/vhost_user.c dpdk-16.11.11/lib/librte_vhost/vhost_user.c
--- dpdk-16.11.9/lib/librte_vhost/vhost_user.c 2019-03-19 13:22:31.000000000 +0000
+++ dpdk-16.11.11/lib/librte_vhost/vhost_user.c 2019-11-15 13:53:48.000000000 +0000
@@ -75,6 +75,36 @@
[VHOST_USER_SEND_RARP] = "VHOST_USER_SEND_RARP",
};
+static void
+close_msg_fds(struct VhostUserMsg *msg)
+{
+ int i;
+
+ for (i = 0; i < msg->fd_num; i++)
+ close(msg->fds[i]);
+}
+
+/*
+ * Ensure the expected number of FDs is received,
+ * close all FDs and return an error if this is not the case.
+ */
+static int
+validate_msg_fds(struct VhostUserMsg *msg, int expected_fds)
+{
+ if (msg->fd_num == expected_fds)
+ return 0;
+
+ RTE_LOG(ERR, VHOST_CONFIG,
+ " Expect %d FDs for request %s, received %d\n",
+ expected_fds,
+ vhost_message_str[msg->request],
+ msg->fd_num);
+
+ close_msg_fds(msg);
+
+ return -1;
+}
+
static uint64_t
get_blk_size(int fd)
{
@@ -189,10 +219,23 @@
vq->size = state->num;
+ /* VIRTIO 1.0, 2.4 Virtqueues says:
+ *
+ * Queue Size value is always a power of 2. The maximum Queue Size
+ * value is 32768.
+ */
+ if ((vq->size & (vq->size - 1)) || vq->size > 32768) {
+ RTE_LOG(ERR, VHOST_CONFIG,
+ "invalid virtqueue size %u\n", vq->size);
+ return -1;
+ }
+
if (dev->dequeue_zero_copy) {
vq->nr_zmbuf = 0;
vq->last_zmbuf_idx = 0;
vq->zmbuf_size = vq->size;
+ if (vq->zmbufs)
+ rte_free(vq->zmbufs);
vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size *
sizeof(struct zcopy_mbuf), 0);
if (vq->zmbufs == NULL) {
@@ -202,7 +245,8 @@
dev->dequeue_zero_copy = 0;
}
}
-
+ if (vq->shadow_used_ring)
+ rte_free(vq->shadow_used_ring);
vq->shadow_used_ring = rte_malloc(NULL,
vq->size * sizeof(struct vring_used_elem),
RTE_CACHE_LINE_SIZE);
@@ -952,7 +996,7 @@
int ret;
ret = read_fd_message(sockfd, (char *)msg, VHOST_USER_HDR_SIZE,
- msg->fds, VHOST_MEMORY_MAX_NREGIONS);
+ msg->fds, VHOST_MEMORY_MAX_NREGIONS, &msg->fd_num);
if (ret <= 0)
return ret;
@@ -1034,6 +1078,7 @@
struct VhostUserMsg msg;
int ret;
int unlock_required = 0;
+ int expected_fds;
dev = get_device(vid);
if (dev == NULL)
@@ -1090,35 +1135,59 @@
ret = 0;
switch (msg.request) {
case VHOST_USER_GET_FEATURES:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
msg.payload.u64 = vhost_user_get_features();
msg.size = sizeof(msg.payload.u64);
send_vhost_message(fd, &msg);
break;
case VHOST_USER_SET_FEATURES:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_features(dev, msg.payload.u64);
break;
case VHOST_USER_GET_PROTOCOL_FEATURES:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
msg.payload.u64 = VHOST_USER_PROTOCOL_FEATURES;
msg.size = sizeof(msg.payload.u64);
send_vhost_message(fd, &msg);
break;
case VHOST_USER_SET_PROTOCOL_FEATURES:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_protocol_features(dev, msg.payload.u64);
break;
case VHOST_USER_SET_OWNER:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_owner();
break;
case VHOST_USER_RESET_OWNER:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_reset_owner(dev);
break;
case VHOST_USER_SET_MEM_TABLE:
+ if (validate_msg_fds(&msg, msg.payload.memory.nregions) != 0)
+ return -1;
+
vhost_user_set_mem_table(dev, &msg);
break;
case VHOST_USER_SET_LOG_BASE:
+ if (validate_msg_fds(&msg, 1) != 0)
+ return -1;
+
ret = vhost_user_set_log_base(dev, &msg);
if (ret)
break;
@@ -1130,21 +1199,36 @@
send_vhost_message(fd, &msg);
break;
case VHOST_USER_SET_LOG_FD:
+ if (validate_msg_fds(&msg, 1) != 0)
+ return -1;
+
close(msg.fds[0]);
RTE_LOG(INFO, VHOST_CONFIG, "not implemented.\n");
break;
case VHOST_USER_SET_VRING_NUM:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_vring_num(dev, &msg.payload.state);
break;
case VHOST_USER_SET_VRING_ADDR:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_vring_addr(&dev, &msg.payload.addr);
break;
case VHOST_USER_SET_VRING_BASE:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_vring_base(dev, &msg.payload.state);
break;
case VHOST_USER_GET_VRING_BASE:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_get_vring_base(dev, &msg.payload.state);
if (ret)
break;
@@ -1153,28 +1237,52 @@
break;
case VHOST_USER_SET_VRING_KICK:
+ expected_fds =
+ (msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
+ if (validate_msg_fds(&msg, expected_fds) != 0)
+ return -1;
+
ret = vhost_user_set_vring_kick(dev, &msg);
break;
case VHOST_USER_SET_VRING_CALL:
+ expected_fds =
+ (msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
+ if (validate_msg_fds(&msg, expected_fds) != 0)
+ return -1;
+
vhost_user_set_vring_call(dev, &msg);
break;
case VHOST_USER_SET_VRING_ERR:
+ expected_fds =
+ (msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
+ if (validate_msg_fds(&msg, expected_fds) != 0)
+ return -1;
+
if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK))
close(msg.fds[0]);
RTE_LOG(INFO, VHOST_CONFIG, "not implemented\n");
break;
case VHOST_USER_GET_QUEUE_NUM:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
msg.payload.u64 = VHOST_MAX_QUEUE_PAIRS;
msg.size = sizeof(msg.payload.u64);
send_vhost_message(fd, &msg);
break;
case VHOST_USER_SET_VRING_ENABLE:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_set_vring_enable(dev, &msg.payload.state);
break;
case VHOST_USER_SEND_RARP:
+ if (validate_msg_fds(&msg, 0) != 0)
+ return -1;
+
ret = vhost_user_send_rarp(dev, &msg);
break;
diff -Nru dpdk-16.11.9/lib/librte_vhost/vhost_user.h dpdk-16.11.11/lib/librte_vhost/vhost_user.h
--- dpdk-16.11.9/lib/librte_vhost/vhost_user.h 2019-03-19 13:22:31.000000000 +0000
+++ dpdk-16.11.11/lib/librte_vhost/vhost_user.h 2019-11-15 13:53:48.000000000 +0000
@@ -110,6 +110,7 @@
VhostUserLog log;
} payload;
int fds[VHOST_MEMORY_MAX_NREGIONS];
+ int fd_num;
} __attribute((packed)) VhostUserMsg;
#define VHOST_USER_HDR_SIZE offsetof(VhostUserMsg, payload.u64)
@@ -122,7 +123,8 @@
int vhost_user_msg_handler(int vid, int fd);
/* socket.c */
-int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num);
+int read_fd_message(int sockfd, char *buf, int buflen, int *fds, int max_fds,
+ int *fd_num);
int send_fd_message(int sockfd, char *buf, int buflen, int *fds, int fd_num);
#endif
diff -Nru dpdk-16.11.9/pkg/dpdk.spec dpdk-16.11.11/pkg/dpdk.spec
--- dpdk-16.11.9/pkg/dpdk.spec 2019-03-19 13:22:31.000000000 +0000
+++ dpdk-16.11.11/pkg/dpdk.spec 2019-11-15 13:53:48.000000000 +0000
@@ -30,7 +30,7 @@
# OF THE POSSIBILITY OF SUCH DAMAGE.
Name: dpdk
-Version: 16.11.9
+Version: 16.11.11
Release: 1
Packager: packaging@6wind.com
URL: http://dpdk.org
Attachment:
signature.asc
Description: This is a digitally signed message part