> -----Original Message----- > From: Jakub Kicinski <jakub.kicinski@xxxxxxxxxxxxx> > Sent: Thursday, November 21, 2019 6:05 PM > To: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx> > Cc: sashal@xxxxxxxxxx; linux-hyperv@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; > KY Srinivasan <kys@xxxxxxxxxxxxx>; Stephen Hemminger > <sthemmin@xxxxxxxxxxxxx>; olaf@xxxxxxxxx; vkuznets > <vkuznets@xxxxxxxxxx>; davem@xxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx > Subject: Re: [PATCH net,v2 1/2] hv_netvsc: Fix offset usage in > netvsc_send_table() > > On Thu, 21 Nov 2019 13:33:40 -0800, Haiyang Zhang wrote: > > To reach the data region, the existing code adds offset in struct > > nvsp_5_send_indirect_table on the beginning of this struct. But the > > offset should be based on the beginning of its container, > > struct nvsp_message. This bug causes the first table entry missing, > > and adds an extra zero from the zero pad after the data region. > > This can put extra burden on the channel 0. > > > > So, correct the offset usage. Also add a boundary check to ensure > > not reading beyond data region. > > Please provide a change log at the end of the commit message when > posting new version in the future. Sure. Will do that in the future. > > > Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling > (vRSS)") > > Signed-off-by: Haiyang Zhang <haiyangz@xxxxxxxxxxxxx> > > > > > - tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table + > > - nvmsg->msg.v5_msg.send_table.offset); > > + if (offset > msglen - count * sizeof(u32)) { > > Can't this underflow now? What if msglen is small? msglen came from the vmbus container message. We trust it to be big enough for the data region. Thanks, - Haiyang