From: Stefano Garzarella <sgarzare@redhat.com> To: virtualization@lists.linux-foundation.org Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>, Jason Wang <jasowang@redhat.com> Subject: [RFC PATCH 08/10] vhost/vdpa: allow user space to pass buffers bigger than config space Date: Tue, 16 Feb 2021 10:44:52 +0100 [thread overview] Message-ID: <20210216094454.82106-9-sgarzare@redhat.com> (raw) In-Reply-To: <20210216094454.82106-1-sgarzare@redhat.com> vdpa_get_config() and vdpa_set_config() now are able to read/write only the bytes available in the device configuration space, also if the buffer provided is bigger than that. Let's use this feature to allow the user space application to pass any buffer. We limit the size of the internal bounce buffer allocated with the device config size. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> --- drivers/vhost/vdpa.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index cdd8f24168b2..544f8582a42b 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -185,10 +185,10 @@ static long vhost_vdpa_set_status(struct vhost_vdpa *v, u8 __user *statusp) return 0; } -static int vhost_vdpa_config_validate(struct vhost_vdpa *v, - struct vhost_vdpa_config *c) +static ssize_t vhost_vdpa_config_validate(struct vhost_vdpa *v, + struct vhost_vdpa_config *c) { - long size = 0; + u32 size = 0; switch (v->virtio_id) { case VIRTIO_ID_NET: @@ -199,10 +199,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, if (c->len == 0) return -EINVAL; - if (c->len > size - c->off) - return -E2BIG; - - return 0; + return min(c->len, size); } static long vhost_vdpa_get_config(struct vhost_vdpa *v, @@ -211,19 +208,23 @@ static long vhost_vdpa_get_config(struct vhost_vdpa *v, struct vdpa_device *vdpa = v->vdpa; struct vhost_vdpa_config config; unsigned long size = offsetof(struct vhost_vdpa_config, buf); + ssize_t config_size; u8 *buf; if (copy_from_user(&config, c, size)) return -EFAULT; - if (vhost_vdpa_config_validate(v, &config)) - return -EINVAL; - buf = kvzalloc(config.len, GFP_KERNEL); + + config_size = vhost_vdpa_config_validate(v, &config); + if (config_size <= 0) + return config_size; + + buf = kvzalloc(config_size, GFP_KERNEL); if (!buf) return -ENOMEM; - vdpa_get_config(vdpa, config.off, buf, config.len); + vdpa_get_config(vdpa, config.off, buf, config_size); - if (copy_to_user(c->buf, buf, config.len)) { + if (copy_to_user(c->buf, buf, config_size)) { kvfree(buf); return -EFAULT; } @@ -238,18 +239,21 @@ static long vhost_vdpa_set_config(struct vhost_vdpa *v, struct vdpa_device *vdpa = v->vdpa; struct vhost_vdpa_config config; unsigned long size = offsetof(struct vhost_vdpa_config, buf); + ssize_t config_size; u8 *buf; if (copy_from_user(&config, c, size)) return -EFAULT; - if (vhost_vdpa_config_validate(v, &config)) - return -EINVAL; - buf = vmemdup_user(c->buf, config.len); + config_size = vhost_vdpa_config_validate(v, &config); + if (config_size <= 0) + return config_size; + + buf = vmemdup_user(c->buf, config_size); if (IS_ERR(buf)) return PTR_ERR(buf); - vdpa_set_config(vdpa, config.off, buf, config.len); + vdpa_set_config(vdpa, config.off, buf, config_size); kvfree(buf); return 0; -- 2.29.2
WARNING: multiple messages have this Message-ID (diff)
From: Stefano Garzarella <sgarzare@redhat.com> To: virtualization@lists.linux-foundation.org Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com> Subject: [RFC PATCH 08/10] vhost/vdpa: allow user space to pass buffers bigger than config space Date: Tue, 16 Feb 2021 10:44:52 +0100 [thread overview] Message-ID: <20210216094454.82106-9-sgarzare@redhat.com> (raw) In-Reply-To: <20210216094454.82106-1-sgarzare@redhat.com> vdpa_get_config() and vdpa_set_config() now are able to read/write only the bytes available in the device configuration space, also if the buffer provided is bigger than that. Let's use this feature to allow the user space application to pass any buffer. We limit the size of the internal bounce buffer allocated with the device config size. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> --- drivers/vhost/vdpa.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index cdd8f24168b2..544f8582a42b 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -185,10 +185,10 @@ static long vhost_vdpa_set_status(struct vhost_vdpa *v, u8 __user *statusp) return 0; } -static int vhost_vdpa_config_validate(struct vhost_vdpa *v, - struct vhost_vdpa_config *c) +static ssize_t vhost_vdpa_config_validate(struct vhost_vdpa *v, + struct vhost_vdpa_config *c) { - long size = 0; + u32 size = 0; switch (v->virtio_id) { case VIRTIO_ID_NET: @@ -199,10 +199,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v, if (c->len == 0) return -EINVAL; - if (c->len > size - c->off) - return -E2BIG; - - return 0; + return min(c->len, size); } static long vhost_vdpa_get_config(struct vhost_vdpa *v, @@ -211,19 +208,23 @@ static long vhost_vdpa_get_config(struct vhost_vdpa *v, struct vdpa_device *vdpa = v->vdpa; struct vhost_vdpa_config config; unsigned long size = offsetof(struct vhost_vdpa_config, buf); + ssize_t config_size; u8 *buf; if (copy_from_user(&config, c, size)) return -EFAULT; - if (vhost_vdpa_config_validate(v, &config)) - return -EINVAL; - buf = kvzalloc(config.len, GFP_KERNEL); + + config_size = vhost_vdpa_config_validate(v, &config); + if (config_size <= 0) + return config_size; + + buf = kvzalloc(config_size, GFP_KERNEL); if (!buf) return -ENOMEM; - vdpa_get_config(vdpa, config.off, buf, config.len); + vdpa_get_config(vdpa, config.off, buf, config_size); - if (copy_to_user(c->buf, buf, config.len)) { + if (copy_to_user(c->buf, buf, config_size)) { kvfree(buf); return -EFAULT; } @@ -238,18 +239,21 @@ static long vhost_vdpa_set_config(struct vhost_vdpa *v, struct vdpa_device *vdpa = v->vdpa; struct vhost_vdpa_config config; unsigned long size = offsetof(struct vhost_vdpa_config, buf); + ssize_t config_size; u8 *buf; if (copy_from_user(&config, c, size)) return -EFAULT; - if (vhost_vdpa_config_validate(v, &config)) - return -EINVAL; - buf = vmemdup_user(c->buf, config.len); + config_size = vhost_vdpa_config_validate(v, &config); + if (config_size <= 0) + return config_size; + + buf = vmemdup_user(c->buf, config_size); if (IS_ERR(buf)) return PTR_ERR(buf); - vdpa_set_config(vdpa, config.off, buf, config.len); + vdpa_set_config(vdpa, config.off, buf, config_size); kvfree(buf); return 0; -- 2.29.2 _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-02-16 9:51 UTC|newest] Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-02-16 9:44 [RFC PATCH 00/10] vdpa: get/set_config() rework Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 01/10] vdpa: add get_config_size callback in vdpa_config_ops Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-03-02 4:14 ` Jason Wang 2021-03-02 4:14 ` Jason Wang 2021-03-02 14:15 ` Stefano Garzarella 2021-03-02 14:15 ` Stefano Garzarella 2021-03-04 8:34 ` Jason Wang 2021-03-04 8:34 ` Jason Wang 2021-03-05 8:38 ` Stefano Garzarella 2021-03-05 8:38 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 02/10] vdpa: check vdpa_get_config() parameters and return bytes read Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 03/10] vdpa: add vdpa_set_config() helper Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 04/10] vdpa: remove param checks in the get/set_config callbacks Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 05/10] vdpa: remove WARN_ON() " Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 06/10] virtio_vdpa: use vdpa_set_config() Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 07/10] vhost/vdpa: " Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella [this message] 2021-02-16 9:44 ` [RFC PATCH 08/10] vhost/vdpa: allow user space to pass buffers bigger than config space Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 09/10] vhost/vdpa: use get_config_size callback in vhost_vdpa_config_validate() Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-02-16 9:44 ` [RFC PATCH 10/10] vhost/vdpa: return configuration bytes read and written to user space Stefano Garzarella 2021-02-16 9:44 ` Stefano Garzarella 2021-03-02 4:05 ` Jason Wang 2021-03-02 4:05 ` Jason Wang 2021-03-02 14:06 ` Stefano Garzarella 2021-03-02 14:06 ` Stefano Garzarella 2021-03-04 8:31 ` Jason Wang 2021-03-04 8:31 ` Jason Wang 2021-03-05 8:37 ` Stefano Garzarella 2021-03-05 8:37 ` Stefano Garzarella 2021-03-08 3:59 ` Jason Wang 2021-03-08 3:59 ` Jason Wang 2021-03-01 8:17 ` [RFC PATCH 00/10] vdpa: get/set_config() rework Stefano Garzarella 2021-03-01 8:17 ` Stefano Garzarella
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210216094454.82106-9-sgarzare@redhat.com \ --to=sgarzare@redhat.com \ --cc=jasowang@redhat.com \ --cc=kvm@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mst@redhat.com \ --cc=virtualization@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.