From: Yongji Xie <xieyongji@bytedance.com> To: Dan Carpenter <dan.carpenter@oracle.com> Cc: "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Parav Pandit" <parav@nvidia.com>, "Christoph Hellwig" <hch@infradead.org>, "Christian Brauner" <christian.brauner@canonical.com>, "Randy Dunlap" <rdunlap@infradead.org>, "Matthew Wilcox" <willy@infradead.org>, "Al Viro" <viro@zeniv.linux.org.uk>, "Jens Axboe" <axboe@kernel.dk>, bcrl@kvack.org, "Jonathan Corbet" <corbet@lwn.net>, "Mika Penttilä" <mika.penttila@nextfour.com>, joro@8bytes.org, "Greg KH" <gregkh@linuxfoundation.org>, "He Zhe" <zhe.he@windriver.com>, "Liu Xiaodong" <xiaodong.liu@intel.com>, songmuchun@bytedance.com, virtualization <virtualization@lists.linux-foundation.org>, netdev@vger.kernel.org, kvm <kvm@vger.kernel.org>, linux-fsdevel@vger.kernel.org, iommu@lists.linux-foundation.org, linux-kernel <linux-kernel@vger.kernel.org> Subject: Re: [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Date: Wed, 14 Jul 2021 13:24:02 +0800 [thread overview] Message-ID: <CACycT3uKwu5xzj2ynWH5njCKHaYyOPkDb8BVLTHE5NJ-qpD3xQ@mail.gmail.com> (raw) In-Reply-To: <20210713113114.GL1954@kadam> On Tue, Jul 13, 2021 at 7:31 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote: > > @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, u64 iova, u64 size) > > } > > } > > > > -static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v, > > - struct vhost_iotlb_msg *msg) > > +static int vhost_vdpa_pa_map(struct vhost_vdpa *v, > > + u64 iova, u64 size, u64 uaddr, u32 perm) > > { > > struct vhost_dev *dev = &v->vdev; > > - struct vhost_iotlb *iotlb = dev->iotlb; > > struct page **page_list; > > unsigned long list_size = PAGE_SIZE / sizeof(struct page *); > > unsigned int gup_flags = FOLL_LONGTERM; > > unsigned long npages, cur_base, map_pfn, last_pfn = 0; > > unsigned long lock_limit, sz2pin, nchunks, i; > > - u64 iova = msg->iova; > > + u64 start = iova; > > long pinned; > > int ret = 0; > > > > - if (msg->iova < v->range.first || > > - msg->iova + msg->size - 1 > v->range.last) > > - return -EINVAL; > > This is not related to your patch, but can the "msg->iova + msg->size" > addition can have an integer overflow. From looking at the callers it > seems like it can. msg comes from: > vhost_chr_write_iter() > --> dev->msg_handler(dev, &msg); > --> vhost_vdpa_process_iotlb_msg() > --> vhost_vdpa_process_iotlb_update() > > If I'm thinking of the right thing then these are allowed to overflow to > 0 because of the " - 1" but not further than that. I believe the check > needs to be something like: > > if (msg->iova < v->range.first || > msg->iova - 1 > U64_MAX - msg->size || > msg->iova + msg->size - 1 > v->range.last) > Make sense. > But writing integer overflow check correctly is notoriously difficult. > Do you think you could send a fix for that which is separate from the > patcheset? We'd want to backport it to stable. > OK, I will send a patch to fix it. Thanks, Yongji
WARNING: multiple messages have this Message-ID (diff)
From: Yongji Xie <xieyongji@bytedance.com> To: Dan Carpenter <dan.carpenter@oracle.com> Cc: kvm <kvm@vger.kernel.org>, "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, virtualization <virtualization@lists.linux-foundation.org>, "Christian Brauner" <christian.brauner@canonical.com>, "Jonathan Corbet" <corbet@lwn.net>, "Matthew Wilcox" <willy@infradead.org>, "Christoph Hellwig" <hch@infradead.org>, "Stefano Garzarella" <sgarzare@redhat.com>, "Liu Xiaodong" <xiaodong.liu@intel.com>, "Al Viro" <viro@zeniv.linux.org.uk>, "Stefan Hajnoczi" <stefanha@redhat.com>, songmuchun@bytedance.com, "Jens Axboe" <axboe@kernel.dk>, "He Zhe" <zhe.he@windriver.com>, "Greg KH" <gregkh@linuxfoundation.org>, "Randy Dunlap" <rdunlap@infradead.org>, linux-kernel <linux-kernel@vger.kernel.org>, iommu@lists.linux-foundation.org, bcrl@kvack.org, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, "Mika Penttilä" <mika.penttila@nextfour.com> Subject: Re: [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Date: Wed, 14 Jul 2021 13:24:02 +0800 [thread overview] Message-ID: <CACycT3uKwu5xzj2ynWH5njCKHaYyOPkDb8BVLTHE5NJ-qpD3xQ@mail.gmail.com> (raw) In-Reply-To: <20210713113114.GL1954@kadam> On Tue, Jul 13, 2021 at 7:31 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote: > > @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, u64 iova, u64 size) > > } > > } > > > > -static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v, > > - struct vhost_iotlb_msg *msg) > > +static int vhost_vdpa_pa_map(struct vhost_vdpa *v, > > + u64 iova, u64 size, u64 uaddr, u32 perm) > > { > > struct vhost_dev *dev = &v->vdev; > > - struct vhost_iotlb *iotlb = dev->iotlb; > > struct page **page_list; > > unsigned long list_size = PAGE_SIZE / sizeof(struct page *); > > unsigned int gup_flags = FOLL_LONGTERM; > > unsigned long npages, cur_base, map_pfn, last_pfn = 0; > > unsigned long lock_limit, sz2pin, nchunks, i; > > - u64 iova = msg->iova; > > + u64 start = iova; > > long pinned; > > int ret = 0; > > > > - if (msg->iova < v->range.first || > > - msg->iova + msg->size - 1 > v->range.last) > > - return -EINVAL; > > This is not related to your patch, but can the "msg->iova + msg->size" > addition can have an integer overflow. From looking at the callers it > seems like it can. msg comes from: > vhost_chr_write_iter() > --> dev->msg_handler(dev, &msg); > --> vhost_vdpa_process_iotlb_msg() > --> vhost_vdpa_process_iotlb_update() > > If I'm thinking of the right thing then these are allowed to overflow to > 0 because of the " - 1" but not further than that. I believe the check > needs to be something like: > > if (msg->iova < v->range.first || > msg->iova - 1 > U64_MAX - msg->size || > msg->iova + msg->size - 1 > v->range.last) > Make sense. > But writing integer overflow check correctly is notoriously difficult. > Do you think you could send a fix for that which is separate from the > patcheset? We'd want to backport it to stable. > OK, I will send a patch to fix it. Thanks, Yongji _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2021-07-14 5:24 UTC|newest] Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-07-13 8:46 [PATCH v9 00/17] Introduce VDUSE - vDPA Device in Userspace Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 01/17] iova: Export alloc_iova_fast() and free_iova_fast() Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 02/17] file: Export receive_fd() to modules Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 03/17] vdpa: Fix code indentation Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-14 4:20 ` Joe Perches 2021-07-14 4:20 ` Joe Perches 2021-07-14 4:20 ` Joe Perches 2021-07-14 5:48 ` Yongji Xie 2021-07-14 5:48 ` Yongji Xie 2021-07-13 8:46 ` [PATCH v9 04/17] vdpa: Fail the vdpa_reset() if fail to set device status to zero Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 05/17] vhost-vdpa: Fail the vhost_vdpa_set_status() on reset failure Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 06/17] vhost-vdpa: Handle the failure of vdpa_reset() Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 07/17] virtio: Don't set FAILED status bit on device index allocation failure Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 11:02 ` Dan Carpenter 2021-07-13 11:02 ` Dan Carpenter 2021-07-13 11:02 ` Dan Carpenter 2021-07-13 11:25 ` Yongji Xie 2021-07-13 11:25 ` Yongji Xie 2021-07-13 8:46 ` [PATCH v9 08/17] virtio_config: Add a return value to reset function Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-14 10:21 ` kernel test robot 2021-07-15 20:37 ` kernel test robot 2021-07-13 8:46 ` [PATCH v9 09/17] virtio-vdpa: Handle the failure of vdpa_reset() Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 10/17] virtio: Handle device reset failure in register_virtio_device() Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 11/17] vhost-iotlb: Add an opaque pointer for vhost IOTLB Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 12/17] vdpa: Add an opaque pointer for vdpa_config_ops.dma_map() Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 11:31 ` Dan Carpenter 2021-07-13 11:31 ` Dan Carpenter 2021-07-13 11:31 ` Dan Carpenter 2021-07-14 2:14 ` Jason Wang 2021-07-14 2:14 ` Jason Wang 2021-07-14 2:14 ` Jason Wang 2021-07-14 8:05 ` Dan Carpenter 2021-07-14 8:05 ` Dan Carpenter 2021-07-14 8:05 ` Dan Carpenter 2021-07-14 9:41 ` Jason Wang 2021-07-14 9:41 ` Jason Wang 2021-07-14 9:41 ` Jason Wang 2021-07-14 9:57 ` Dan Carpenter 2021-07-14 9:57 ` Dan Carpenter 2021-07-14 9:57 ` Dan Carpenter 2021-07-15 2:20 ` Jason Wang 2021-07-15 2:20 ` Jason Wang 2021-07-15 2:20 ` Jason Wang 2021-07-14 5:24 ` Yongji Xie [this message] 2021-07-14 5:24 ` Yongji Xie 2021-07-13 8:46 ` [PATCH v9 14/17] vdpa: Support transferring virtual addressing during DMA mapping Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 15/17] vduse: Implement an MMU-based IOMMU driver Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 8:46 ` [PATCH v9 16/17] vduse: Introduce VDUSE - vDPA Device in Userspace Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-13 13:27 ` Dan Carpenter 2021-07-13 13:27 ` Dan Carpenter 2021-07-13 13:27 ` Dan Carpenter 2021-07-14 2:54 ` Jason Wang 2021-07-14 2:54 ` Jason Wang 2021-07-14 2:54 ` Jason Wang 2021-07-14 5:45 ` Yongji Xie 2021-07-14 5:45 ` Yongji Xie 2021-07-14 5:45 ` Jason Wang 2021-07-14 5:45 ` Jason Wang 2021-07-14 5:45 ` Jason Wang 2021-07-14 5:54 ` Michael S. Tsirkin 2021-07-14 5:54 ` Michael S. Tsirkin 2021-07-14 5:54 ` Michael S. Tsirkin 2021-07-14 6:02 ` Jason Wang 2021-07-14 6:02 ` Jason Wang 2021-07-14 6:02 ` Jason Wang 2021-07-14 6:47 ` Greg KH 2021-07-14 6:47 ` Greg KH 2021-07-14 6:47 ` Greg KH 2021-07-14 8:56 ` Jason Wang 2021-07-14 8:56 ` Jason Wang 2021-07-14 8:56 ` Jason Wang 2021-07-14 6:49 ` Yongji Xie 2021-07-14 6:49 ` Yongji Xie 2021-07-14 9:12 ` Jason Wang 2021-07-14 9:12 ` Jason Wang 2021-07-14 9:12 ` Jason Wang 2021-07-15 4:03 ` Yongji Xie 2021-07-15 4:03 ` Yongji Xie 2021-07-15 5:00 ` Jason Wang 2021-07-15 5:00 ` Jason Wang 2021-07-15 5:00 ` Jason Wang 2021-07-13 8:46 ` [PATCH v9 17/17] Documentation: Add documentation for VDUSE Xie Yongji 2021-07-13 8:46 ` Xie Yongji 2021-07-15 5:18 ` Jason Wang 2021-07-15 5:18 ` Jason Wang 2021-07-15 5:18 ` Jason Wang 2021-07-15 7:27 ` Yongji Xie 2021-07-15 7:27 ` Yongji Xie 2021-12-15 10:10 ` [PATCH v9 00/17] Introduce VDUSE - vDPA Device in Userspace Liuxiangdong 2021-12-16 3:14 ` Yongji Xie
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CACycT3uKwu5xzj2ynWH5njCKHaYyOPkDb8BVLTHE5NJ-qpD3xQ@mail.gmail.com \ --to=xieyongji@bytedance.com \ --cc=axboe@kernel.dk \ --cc=bcrl@kvack.org \ --cc=christian.brauner@canonical.com \ --cc=corbet@lwn.net \ --cc=dan.carpenter@oracle.com \ --cc=gregkh@linuxfoundation.org \ --cc=hch@infradead.org \ --cc=iommu@lists.linux-foundation.org \ --cc=jasowang@redhat.com \ --cc=joro@8bytes.org \ --cc=kvm@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mika.penttila@nextfour.com \ --cc=mst@redhat.com \ --cc=netdev@vger.kernel.org \ --cc=parav@nvidia.com \ --cc=rdunlap@infradead.org \ --cc=sgarzare@redhat.com \ --cc=songmuchun@bytedance.com \ --cc=stefanha@redhat.com \ --cc=viro@zeniv.linux.org.uk \ --cc=virtualization@lists.linux-foundation.org \ --cc=willy@infradead.org \ --cc=xiaodong.liu@intel.com \ --cc=zhe.he@windriver.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.