-----Original Message-----
From: Jakub Kicinski <redacted>
Sent: Thursday, November 21, 2019 6:05 PM
To: Haiyang Zhang <haiyangz@microsoft.com>
Cc: sashal@kernel.org; linux-hyperv@vger.kernel.org; netdev@vger.kernel.org;
KY Srinivasan [off-list ref]; Stephen Hemminger
[off-list ref]; olaf@aepfle.de; vkuznets
[off-list ref]; davem@davemloft.net; linux-kernel@vger.kernel.org
Subject: Re: [PATCH net,v2 1/2] hv_netvsc: Fix offset usage in
netvsc_send_table()

On Thu, 21 Nov 2019 13:33:40 -0800, Haiyang Zhang wrote:

quoted

To reach the data region, the existing code adds offset in struct
nvsp_5_send_indirect_table on the beginning of this struct. But the
offset should be based on the beginning of its container,
struct nvsp_message. This bug causes the first table entry missing,
and adds an extra zero from the zero pad after the data region.
This can put extra burden on the channel 0.

So, correct the offset usage. Also add a boundary check to ensure
not reading beyond data region.

Please provide a change log at the end of the commit message when
posting new version in the future.

Sure. Will do that in the future.

quoted

Fixes: 5b54dac856cb ("hyperv: Add support for virtual Receive Side Scaling

(vRSS)")

quoted

Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>

quoted

-	tab = (u32 *)((unsigned long)&nvmsg->msg.v5_msg.send_table +
-		      nvmsg->msg.v5_msg.send_table.offset);
+	if (offset > msglen - count * sizeof(u32)) {

Can't this underflow now? What if msglen is small?

msglen came from the vmbus container message. We trust it to be big
enough for the data region.

Thanks,
- Haiyang