On Thu, Oct 23, 2025 at 12:08 AM Bui Quang Minh <[email protected]> wrote: > > Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length > for big packets"), when guest gso is off, the allocated size for big > packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on > negotiated MTU. The number of allocated frags for big packets is stored > in vi->big_packets_num_skbfrags. > > Because the host announced buffer length can be malicious (e.g. the host > vhost_net driver's get_rx_bufs is modified to announce incorrect > length), we need a check in virtio_net receive path. Currently, the > check is not adapted to the new change which can lead to NULL page > pointer dereference in the below while loop when receiving length that > is larger than the allocated one. > > This commit fixes the received length check corresponding to the new > change. > > Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big > packets") > Cc: [email protected] > Signed-off-by: Bui Quang Minh <[email protected]> > --- > Changes in v4: > - Remove unrelated changes, add more comments > Changes in v3: > - Convert BUG_ON to WARN_ON_ONCE > Changes in v2: > - Remove incorrect give_pages call > ---
Acked-by: Jason Wang <[email protected]> Thanks
