From: Jason Wang <jasowang@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Xie Yongji <xieyongji@bytedance.com>
Cc: mst@redhat.com, stefanha@redhat.com, sgarzare@redhat.com,
parav@nvidia.com, hch@infradead.org,
christian.brauner@canonical.com, rdunlap@infradead.org,
willy@infradead.org, viro@zeniv.linux.org.uk, axboe@kernel.dk,
bcrl@kvack.org, corbet@lwn.net, mika.penttila@nextfour.com,
joro@8bytes.org, gregkh@linuxfoundation.org,
zhe.he@windriver.com, xiaodong.liu@intel.com,
songmuchun@bytedance.com,
virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org, kvm@vger.kernel.org,
linux-fsdevel@vger.kernel.org, iommu@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap()
Date: Wed, 14 Jul 2021 10:14:32 +0800 [thread overview]
Message-ID: <20e75b53-0dce-2f2d-b717-f78553bddcd8@redhat.com> (raw)
In-Reply-To: <20210713113114.GL1954@kadam>
在 2021/7/13 下午7:31, Dan Carpenter 写道:
> On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote:
>> @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, u64 iova, u64 size)
>> }
>> }
>>
>> -static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v,
>> - struct vhost_iotlb_msg *msg)
>> +static int vhost_vdpa_pa_map(struct vhost_vdpa *v,
>> + u64 iova, u64 size, u64 uaddr, u32 perm)
>> {
>> struct vhost_dev *dev = &v->vdev;
>> - struct vhost_iotlb *iotlb = dev->iotlb;
>> struct page **page_list;
>> unsigned long list_size = PAGE_SIZE / sizeof(struct page *);
>> unsigned int gup_flags = FOLL_LONGTERM;
>> unsigned long npages, cur_base, map_pfn, last_pfn = 0;
>> unsigned long lock_limit, sz2pin, nchunks, i;
>> - u64 iova = msg->iova;
>> + u64 start = iova;
>> long pinned;
>> int ret = 0;
>>
>> - if (msg->iova < v->range.first ||
>> - msg->iova + msg->size - 1 > v->range.last)
>> - return -EINVAL;
> This is not related to your patch, but can the "msg->iova + msg->size"
> addition can have an integer overflow. From looking at the callers it
> seems like it can. msg comes from:
> vhost_chr_write_iter()
> --> dev->msg_handler(dev, &msg);
> --> vhost_vdpa_process_iotlb_msg()
> --> vhost_vdpa_process_iotlb_update()
Yes.
>
> If I'm thinking of the right thing then these are allowed to overflow to
> 0 because of the " - 1" but not further than that. I believe the check
> needs to be something like:
>
> if (msg->iova < v->range.first ||
> msg->iova - 1 > U64_MAX - msg->size ||
I guess we don't need - 1 here?
Thanks
> msg->iova + msg->size - 1 > v->range.last)
>
> But writing integer overflow check correctly is notoriously difficult.
> Do you think you could send a fix for that which is separate from the
> patcheset? We'd want to backport it to stable.
>
> regards,
> dan carpenter
>
WARNING: multiple messages have this Message-ID (diff)
From: Jason Wang <jasowang@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Xie Yongji <xieyongji@bytedance.com>
Cc: kvm@vger.kernel.org, mst@redhat.com,
virtualization@lists.linux-foundation.org,
christian.brauner@canonical.com, corbet@lwn.net,
willy@infradead.org, hch@infradead.org, sgarzare@redhat.com,
xiaodong.liu@intel.com, viro@zeniv.linux.org.uk,
stefanha@redhat.com, songmuchun@bytedance.com, axboe@kernel.dk,
zhe.he@windriver.com, gregkh@linuxfoundation.org,
rdunlap@infradead.org, linux-kernel@vger.kernel.org,
iommu@lists.linux-foundation.org, bcrl@kvack.org,
netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org,
mika.penttila@nextfour.com
Subject: Re: [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap()
Date: Wed, 14 Jul 2021 10:14:32 +0800 [thread overview]
Message-ID: <20e75b53-0dce-2f2d-b717-f78553bddcd8@redhat.com> (raw)
In-Reply-To: <20210713113114.GL1954@kadam>
在 2021/7/13 下午7:31, Dan Carpenter 写道:
> On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote:
>> @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, u64 iova, u64 size)
>> }
>> }
>>
>> -static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v,
>> - struct vhost_iotlb_msg *msg)
>> +static int vhost_vdpa_pa_map(struct vhost_vdpa *v,
>> + u64 iova, u64 size, u64 uaddr, u32 perm)
>> {
>> struct vhost_dev *dev = &v->vdev;
>> - struct vhost_iotlb *iotlb = dev->iotlb;
>> struct page **page_list;
>> unsigned long list_size = PAGE_SIZE / sizeof(struct page *);
>> unsigned int gup_flags = FOLL_LONGTERM;
>> unsigned long npages, cur_base, map_pfn, last_pfn = 0;
>> unsigned long lock_limit, sz2pin, nchunks, i;
>> - u64 iova = msg->iova;
>> + u64 start = iova;
>> long pinned;
>> int ret = 0;
>>
>> - if (msg->iova < v->range.first ||
>> - msg->iova + msg->size - 1 > v->range.last)
>> - return -EINVAL;
> This is not related to your patch, but can the "msg->iova + msg->size"
> addition can have an integer overflow. From looking at the callers it
> seems like it can. msg comes from:
> vhost_chr_write_iter()
> --> dev->msg_handler(dev, &msg);
> --> vhost_vdpa_process_iotlb_msg()
> --> vhost_vdpa_process_iotlb_update()
Yes.
>
> If I'm thinking of the right thing then these are allowed to overflow to
> 0 because of the " - 1" but not further than that. I believe the check
> needs to be something like:
>
> if (msg->iova < v->range.first ||
> msg->iova - 1 > U64_MAX - msg->size ||
I guess we don't need - 1 here?
Thanks
> msg->iova + msg->size - 1 > v->range.last)
>
> But writing integer overflow check correctly is notoriously difficult.
> Do you think you could send a fix for that which is separate from the
> patcheset? We'd want to backport it to stable.
>
> regards,
> dan carpenter
>
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Jason Wang <jasowang@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Xie Yongji <xieyongji@bytedance.com>
Cc: kvm@vger.kernel.org, mst@redhat.com,
virtualization@lists.linux-foundation.org,
christian.brauner@canonical.com, corbet@lwn.net, joro@8bytes.org,
willy@infradead.org, hch@infradead.org, xiaodong.liu@intel.com,
viro@zeniv.linux.org.uk, stefanha@redhat.com,
songmuchun@bytedance.com, axboe@kernel.dk, zhe.he@windriver.com,
gregkh@linuxfoundation.org, rdunlap@infradead.org,
linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
bcrl@kvack.org, netdev@vger.kernel.org,
linux-fsdevel@vger.kernel.org, mika.penttila@nextfour.com
Subject: Re: [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap()
Date: Wed, 14 Jul 2021 10:14:32 +0800 [thread overview]
Message-ID: <20e75b53-0dce-2f2d-b717-f78553bddcd8@redhat.com> (raw)
In-Reply-To: <20210713113114.GL1954@kadam>
在 2021/7/13 下午7:31, Dan Carpenter 写道:
> On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote:
>> @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, u64 iova, u64 size)
>> }
>> }
>>
>> -static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v,
>> - struct vhost_iotlb_msg *msg)
>> +static int vhost_vdpa_pa_map(struct vhost_vdpa *v,
>> + u64 iova, u64 size, u64 uaddr, u32 perm)
>> {
>> struct vhost_dev *dev = &v->vdev;
>> - struct vhost_iotlb *iotlb = dev->iotlb;
>> struct page **page_list;
>> unsigned long list_size = PAGE_SIZE / sizeof(struct page *);
>> unsigned int gup_flags = FOLL_LONGTERM;
>> unsigned long npages, cur_base, map_pfn, last_pfn = 0;
>> unsigned long lock_limit, sz2pin, nchunks, i;
>> - u64 iova = msg->iova;
>> + u64 start = iova;
>> long pinned;
>> int ret = 0;
>>
>> - if (msg->iova < v->range.first ||
>> - msg->iova + msg->size - 1 > v->range.last)
>> - return -EINVAL;
> This is not related to your patch, but can the "msg->iova + msg->size"
> addition can have an integer overflow. From looking at the callers it
> seems like it can. msg comes from:
> vhost_chr_write_iter()
> --> dev->msg_handler(dev, &msg);
> --> vhost_vdpa_process_iotlb_msg()
> --> vhost_vdpa_process_iotlb_update()
Yes.
>
> If I'm thinking of the right thing then these are allowed to overflow to
> 0 because of the " - 1" but not further than that. I believe the check
> needs to be something like:
>
> if (msg->iova < v->range.first ||
> msg->iova - 1 > U64_MAX - msg->size ||
I guess we don't need - 1 here?
Thanks
> msg->iova + msg->size - 1 > v->range.last)
>
> But writing integer overflow check correctly is notoriously difficult.
> Do you think you could send a fix for that which is separate from the
> patcheset? We'd want to backport it to stable.
>
> regards,
> dan carpenter
>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-07-14 2:14 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-13 8:46 [PATCH v9 00/17] Introduce VDUSE - vDPA Device in Userspace Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 01/17] iova: Export alloc_iova_fast() and free_iova_fast() Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 02/17] file: Export receive_fd() to modules Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 03/17] vdpa: Fix code indentation Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-14 4:20 ` Joe Perches
2021-07-14 4:20 ` Joe Perches
2021-07-14 4:20 ` Joe Perches
2021-07-14 5:48 ` Yongji Xie
2021-07-14 5:48 ` Yongji Xie
2021-07-13 8:46 ` [PATCH v9 04/17] vdpa: Fail the vdpa_reset() if fail to set device status to zero Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 05/17] vhost-vdpa: Fail the vhost_vdpa_set_status() on reset failure Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 06/17] vhost-vdpa: Handle the failure of vdpa_reset() Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 07/17] virtio: Don't set FAILED status bit on device index allocation failure Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 11:02 ` Dan Carpenter
2021-07-13 11:02 ` Dan Carpenter
2021-07-13 11:02 ` Dan Carpenter
2021-07-13 11:25 ` Yongji Xie
2021-07-13 11:25 ` Yongji Xie
2021-07-13 8:46 ` [PATCH v9 08/17] virtio_config: Add a return value to reset function Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-14 10:21 ` kernel test robot
2021-07-15 20:37 ` kernel test robot
2021-07-13 8:46 ` [PATCH v9 09/17] virtio-vdpa: Handle the failure of vdpa_reset() Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 10/17] virtio: Handle device reset failure in register_virtio_device() Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 11/17] vhost-iotlb: Add an opaque pointer for vhost IOTLB Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 12/17] vdpa: Add an opaque pointer for vdpa_config_ops.dma_map() Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 11:31 ` Dan Carpenter
2021-07-13 11:31 ` Dan Carpenter
2021-07-13 11:31 ` Dan Carpenter
2021-07-14 2:14 ` Jason Wang [this message]
2021-07-14 2:14 ` Jason Wang
2021-07-14 2:14 ` Jason Wang
2021-07-14 8:05 ` Dan Carpenter
2021-07-14 8:05 ` Dan Carpenter
2021-07-14 8:05 ` Dan Carpenter
2021-07-14 9:41 ` Jason Wang
2021-07-14 9:41 ` Jason Wang
2021-07-14 9:41 ` Jason Wang
2021-07-14 9:57 ` Dan Carpenter
2021-07-14 9:57 ` Dan Carpenter
2021-07-14 9:57 ` Dan Carpenter
2021-07-15 2:20 ` Jason Wang
2021-07-15 2:20 ` Jason Wang
2021-07-15 2:20 ` Jason Wang
2021-07-14 5:24 ` Yongji Xie
2021-07-14 5:24 ` Yongji Xie
2021-07-13 8:46 ` [PATCH v9 14/17] vdpa: Support transferring virtual addressing during DMA mapping Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 15/17] vduse: Implement an MMU-based IOMMU driver Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 8:46 ` [PATCH v9 16/17] vduse: Introduce VDUSE - vDPA Device in Userspace Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-13 13:27 ` Dan Carpenter
2021-07-13 13:27 ` Dan Carpenter
2021-07-13 13:27 ` Dan Carpenter
2021-07-14 2:54 ` Jason Wang
2021-07-14 2:54 ` Jason Wang
2021-07-14 2:54 ` Jason Wang
2021-07-14 5:45 ` Yongji Xie
2021-07-14 5:45 ` Yongji Xie
2021-07-14 5:45 ` Jason Wang
2021-07-14 5:45 ` Jason Wang
2021-07-14 5:45 ` Jason Wang
2021-07-14 5:54 ` Michael S. Tsirkin
2021-07-14 5:54 ` Michael S. Tsirkin
2021-07-14 5:54 ` Michael S. Tsirkin
2021-07-14 6:02 ` Jason Wang
2021-07-14 6:02 ` Jason Wang
2021-07-14 6:02 ` Jason Wang
2021-07-14 6:47 ` Greg KH
2021-07-14 6:47 ` Greg KH
2021-07-14 6:47 ` Greg KH
2021-07-14 8:56 ` Jason Wang
2021-07-14 8:56 ` Jason Wang
2021-07-14 8:56 ` Jason Wang
2021-07-14 6:49 ` Yongji Xie
2021-07-14 6:49 ` Yongji Xie
2021-07-14 9:12 ` Jason Wang
2021-07-14 9:12 ` Jason Wang
2021-07-14 9:12 ` Jason Wang
2021-07-15 4:03 ` Yongji Xie
2021-07-15 4:03 ` Yongji Xie
2021-07-15 5:00 ` Jason Wang
2021-07-15 5:00 ` Jason Wang
2021-07-15 5:00 ` Jason Wang
2021-07-13 8:46 ` [PATCH v9 17/17] Documentation: Add documentation for VDUSE Xie Yongji
2021-07-13 8:46 ` Xie Yongji
2021-07-15 5:18 ` Jason Wang
2021-07-15 5:18 ` Jason Wang
2021-07-15 5:18 ` Jason Wang
2021-07-15 7:27 ` Yongji Xie
2021-07-15 7:27 ` Yongji Xie
2021-12-15 10:10 ` [PATCH v9 00/17] Introduce VDUSE - vDPA Device in Userspace Liuxiangdong
2021-12-16 3:14 ` Yongji Xie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20e75b53-0dce-2f2d-b717-f78553bddcd8@redhat.com \
--to=jasowang@redhat.com \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=christian.brauner@canonical.com \
--cc=corbet@lwn.net \
--cc=dan.carpenter@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.penttila@nextfour.com \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=parav@nvidia.com \
--cc=rdunlap@infradead.org \
--cc=sgarzare@redhat.com \
--cc=songmuchun@bytedance.com \
--cc=stefanha@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=virtualization@lists.linux-foundation.org \
--cc=willy@infradead.org \
--cc=xiaodong.liu@intel.com \
--cc=xieyongji@bytedance.com \
--cc=zhe.he@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.