* [PATCH] vduse: Fix a possible warning in vduse_create_dev()
@ 2022-11-26 3:59 Harshit Mogalapalli
2022-11-26 23:22 ` Michael S. Tsirkin
0 siblings, 1 reply; 9+ messages in thread
From: Harshit Mogalapalli @ 2022-11-26 3:59 UTC (permalink / raw)
Cc: harshit.m.mogalapalli, error27, harshit.m.mogalapalli,
Michael S. Tsirkin, Jason Wang, Xie Yongji, Gautam Dawar,
Maxime Coquelin, Guanjun, Parav Pandit, Eli Cohen,
virtualization, linux-kernel
As 'dev->vq_num' is user-controlled data, if user tries to allocate
memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
creates a stack trace and messes up dmesg with a warning.
Call trace:
-> vduse_ioctl
--> vduse_create_dev
'config->vq_num' is user data as it comes from ioctl, which is
assigned to 'dev->vq_num'.
Add __GFP_NOWARN in order to avoid too large allocation warning.
This is detected by static analysis using smatch.
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 35dceee3ed56..5e9546b16165 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config,
dev->config_size = config->config_size;
dev->vq_align = config->vq_align;
dev->vq_num = config->vq_num;
- dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL);
+ dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs),
+ GFP_KERNEL | __GFP_NOWARN);
if (!dev->vqs)
goto err_vqs;
--
2.38.1
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() 2022-11-26 3:59 [PATCH] vduse: Fix a possible warning in vduse_create_dev() Harshit Mogalapalli @ 2022-11-26 23:22 ` Michael S. Tsirkin 0 siblings, 0 replies; 9+ messages in thread From: Michael S. Tsirkin @ 2022-11-26 23:22 UTC (permalink / raw) To: Harshit Mogalapalli Cc: Guanjun, error27, harshit.m.mogalapalli, linux-kernel, virtualization, Xie Yongji, Maxime Coquelin, Gautam Dawar, Eli Cohen On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: > As 'dev->vq_num' is user-controlled data, if user tries to allocate > memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it > creates a stack trace and messes up dmesg with a warning. > > Call trace: > -> vduse_ioctl > --> vduse_create_dev > 'config->vq_num' is user data as it comes from ioctl, which is > assigned to 'dev->vq_num'. > > Add __GFP_NOWARN in order to avoid too large allocation warning. > This is detected by static analysis using smatch. > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > --- > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index 35dceee3ed56..5e9546b16165 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > dev->config_size = config->config_size; > dev->vq_align = config->vq_align; > dev->vq_num = config->vq_num; > - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); > + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), > + GFP_KERNEL | __GFP_NOWARN); > if (!dev->vqs) > goto err_vqs; This is insufficient - the real source of the problem is that vq_num is not validated. The thing to do is to validate config and limit vq_num to 0xffff; > -- > 2.38.1 _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() @ 2022-11-26 23:22 ` Michael S. Tsirkin 0 siblings, 0 replies; 9+ messages in thread From: Michael S. Tsirkin @ 2022-11-26 23:22 UTC (permalink / raw) To: Harshit Mogalapalli Cc: error27, harshit.m.mogalapalli, Jason Wang, Xie Yongji, Gautam Dawar, Maxime Coquelin, Guanjun, Parav Pandit, Eli Cohen, virtualization, linux-kernel On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: > As 'dev->vq_num' is user-controlled data, if user tries to allocate > memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it > creates a stack trace and messes up dmesg with a warning. > > Call trace: > -> vduse_ioctl > --> vduse_create_dev > 'config->vq_num' is user data as it comes from ioctl, which is > assigned to 'dev->vq_num'. > > Add __GFP_NOWARN in order to avoid too large allocation warning. > This is detected by static analysis using smatch. > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > --- > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index 35dceee3ed56..5e9546b16165 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > dev->config_size = config->config_size; > dev->vq_align = config->vq_align; > dev->vq_num = config->vq_num; > - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); > + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), > + GFP_KERNEL | __GFP_NOWARN); > if (!dev->vqs) > goto err_vqs; This is insufficient - the real source of the problem is that vq_num is not validated. The thing to do is to validate config and limit vq_num to 0xffff; > -- > 2.38.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() 2022-11-26 23:22 ` Michael S. Tsirkin (?) @ 2022-11-27 2:46 ` Harshit Mogalapalli 2022-11-27 16:34 ` Michael S. Tsirkin -1 siblings, 1 reply; 9+ messages in thread From: Harshit Mogalapalli @ 2022-11-27 2:46 UTC (permalink / raw) To: Michael S. Tsirkin Cc: error27, harshit.m.mogalapalli, Jason Wang, Xie Yongji, Gautam Dawar, Maxime Coquelin, Guanjun, Parav Pandit, Eli Cohen, virtualization, linux-kernel, Harshit Mogalapalli Hi Micheal, On 27/11/22 4:52 am, Michael S. Tsirkin wrote: > On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: >> As 'dev->vq_num' is user-controlled data, if user tries to allocate >> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it >> creates a stack trace and messes up dmesg with a warning. >> >> Call trace: >> -> vduse_ioctl >> --> vduse_create_dev >> 'config->vq_num' is user data as it comes from ioctl, which is >> assigned to 'dev->vq_num'. >> >> Add __GFP_NOWARN in order to avoid too large allocation warning. >> This is detected by static analysis using smatch. >> >> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") >> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> >> --- >> drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c >> index 35dceee3ed56..5e9546b16165 100644 >> --- a/drivers/vdpa/vdpa_user/vduse_dev.c >> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c >> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, >> dev->config_size = config->config_size; >> dev->vq_align = config->vq_align; >> dev->vq_num = config->vq_num; >> - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); >> + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), >> + GFP_KERNEL | __GFP_NOWARN); >> if (!dev->vqs) >> goto err_vqs; > Thanks for checking the patch. > This is insufficient - the real source of the problem is that > vq_num is not validated. > The thing to do is to validate config and limit vq_num to 0xffff; > 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, 1558 unsigned long arg) 1559 { 1560 int ret; 1561 void __user *argp = (void __user *)arg; 1564 mutex_lock(&vduse_lock); 1565 switch (cmd) { .... 1584 case VDUSE_CREATE_DEV: { 1585 struct vduse_dev_config config; 1587 void *buf; 1588 1589 ret = -EFAULT; 1590 if (copy_from_user(&config, argp, size)) 1591 break; 1592 1593 ret = -EINVAL; 1594 if (vduse_validate_config(&config) == false) 1595 break; 1596 1597 buf = vmemdup_user(argp + size, config.config_size); 1598 if (IS_ERR(buf)) { 1599 ret = PTR_ERR(buf); 1600 break; 1601 } 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; 1603 ret = vduse_create_dev(&config, buf, control->api_version); 1604 if (ret) 1605 kvfree(buf); 1606 break; 1607 } we have vduse_validate_config() being called in vduse_ioctl() which is the caller of vduse_create_dev(), so validate_config() is not necessary in vduse_create_dev() ? Thanks, Harshit > >> -- >> 2.38.1 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() 2022-11-27 2:46 ` Harshit Mogalapalli @ 2022-11-27 16:34 ` Michael S. Tsirkin 0 siblings, 0 replies; 9+ messages in thread From: Michael S. Tsirkin @ 2022-11-27 16:34 UTC (permalink / raw) To: Harshit Mogalapalli Cc: Guanjun, error27, harshit.m.mogalapalli, linux-kernel, virtualization, Xie Yongji, Maxime Coquelin, Gautam Dawar, Eli Cohen On Sun, Nov 27, 2022 at 08:16:24AM +0530, Harshit Mogalapalli wrote: > Hi Micheal, > > On 27/11/22 4:52 am, Michael S. Tsirkin wrote: > > On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: > > > As 'dev->vq_num' is user-controlled data, if user tries to allocate > > > memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it > > > creates a stack trace and messes up dmesg with a warning. > > > > > > Call trace: > > > -> vduse_ioctl > > > --> vduse_create_dev > > > 'config->vq_num' is user data as it comes from ioctl, which is > > > assigned to 'dev->vq_num'. > > > > > > Add __GFP_NOWARN in order to avoid too large allocation warning. > > > This is detected by static analysis using smatch. > > > > > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > > > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > > > --- > > > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > > > index 35dceee3ed56..5e9546b16165 100644 > > > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > > > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > > > @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > > > dev->config_size = config->config_size; > > > dev->vq_align = config->vq_align; > > > dev->vq_num = config->vq_num; > > > - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); > > > + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), > > > + GFP_KERNEL | __GFP_NOWARN); > > > if (!dev->vqs) > > > goto err_vqs; > > > > Thanks for checking the patch. > > > This is insufficient - the real source of the problem is that > > vq_num is not validated. > > The thing to do is to validate config and limit vq_num to 0xffff; > > > > 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, > 1558 unsigned long arg) > 1559 { > 1560 int ret; > 1561 void __user *argp = (void __user *)arg; > 1564 mutex_lock(&vduse_lock); > 1565 switch (cmd) { > .... > 1584 case VDUSE_CREATE_DEV: { > 1585 struct vduse_dev_config config; > 1587 void *buf; > 1588 > 1589 ret = -EFAULT; > 1590 if (copy_from_user(&config, argp, size)) > 1591 break; > 1592 > 1593 ret = -EINVAL; > 1594 if (vduse_validate_config(&config) == false) > 1595 break; > 1596 > 1597 buf = vmemdup_user(argp + size, config.config_size); > 1598 if (IS_ERR(buf)) { > 1599 ret = PTR_ERR(buf); > 1600 break; > 1601 } > 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; > 1603 ret = vduse_create_dev(&config, buf, > control->api_version); > 1604 if (ret) > 1605 kvfree(buf); > 1606 break; > 1607 } > > we have vduse_validate_config() being called in vduse_ioctl() which is the > caller of vduse_create_dev(), so validate_config() is not necessary in > vduse_create_dev() ? > > Thanks, > Harshit OK but I don't see vduse_validate_config checking vq_num. > > > > > -- > > > 2.38.1 > > _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() @ 2022-11-27 16:34 ` Michael S. Tsirkin 0 siblings, 0 replies; 9+ messages in thread From: Michael S. Tsirkin @ 2022-11-27 16:34 UTC (permalink / raw) To: Harshit Mogalapalli Cc: error27, harshit.m.mogalapalli, Jason Wang, Xie Yongji, Gautam Dawar, Maxime Coquelin, Guanjun, Parav Pandit, Eli Cohen, virtualization, linux-kernel On Sun, Nov 27, 2022 at 08:16:24AM +0530, Harshit Mogalapalli wrote: > Hi Micheal, > > On 27/11/22 4:52 am, Michael S. Tsirkin wrote: > > On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: > > > As 'dev->vq_num' is user-controlled data, if user tries to allocate > > > memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it > > > creates a stack trace and messes up dmesg with a warning. > > > > > > Call trace: > > > -> vduse_ioctl > > > --> vduse_create_dev > > > 'config->vq_num' is user data as it comes from ioctl, which is > > > assigned to 'dev->vq_num'. > > > > > > Add __GFP_NOWARN in order to avoid too large allocation warning. > > > This is detected by static analysis using smatch. > > > > > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > > > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > > > --- > > > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > > > index 35dceee3ed56..5e9546b16165 100644 > > > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > > > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > > > @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > > > dev->config_size = config->config_size; > > > dev->vq_align = config->vq_align; > > > dev->vq_num = config->vq_num; > > > - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); > > > + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), > > > + GFP_KERNEL | __GFP_NOWARN); > > > if (!dev->vqs) > > > goto err_vqs; > > > > Thanks for checking the patch. > > > This is insufficient - the real source of the problem is that > > vq_num is not validated. > > The thing to do is to validate config and limit vq_num to 0xffff; > > > > 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, > 1558 unsigned long arg) > 1559 { > 1560 int ret; > 1561 void __user *argp = (void __user *)arg; > 1564 mutex_lock(&vduse_lock); > 1565 switch (cmd) { > .... > 1584 case VDUSE_CREATE_DEV: { > 1585 struct vduse_dev_config config; > 1587 void *buf; > 1588 > 1589 ret = -EFAULT; > 1590 if (copy_from_user(&config, argp, size)) > 1591 break; > 1592 > 1593 ret = -EINVAL; > 1594 if (vduse_validate_config(&config) == false) > 1595 break; > 1596 > 1597 buf = vmemdup_user(argp + size, config.config_size); > 1598 if (IS_ERR(buf)) { > 1599 ret = PTR_ERR(buf); > 1600 break; > 1601 } > 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; > 1603 ret = vduse_create_dev(&config, buf, > control->api_version); > 1604 if (ret) > 1605 kvfree(buf); > 1606 break; > 1607 } > > we have vduse_validate_config() being called in vduse_ioctl() which is the > caller of vduse_create_dev(), so validate_config() is not necessary in > vduse_create_dev() ? > > Thanks, > Harshit OK but I don't see vduse_validate_config checking vq_num. > > > > > -- > > > 2.38.1 > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() 2022-11-27 16:34 ` Michael S. Tsirkin @ 2022-11-28 4:13 ` Dan Carpenter -1 siblings, 0 replies; 9+ messages in thread From: Dan Carpenter @ 2022-11-28 4:13 UTC (permalink / raw) To: Michael S. Tsirkin Cc: Guanjun, harshit.m.mogalapalli, linux-kernel, virtualization, Xie Yongji, Maxime Coquelin, Harshit Mogalapalli, Gautam Dawar, Eli Cohen Btw, after you add the check to vduse_validate_config() you can test that it silences the Smatch warning by doing: kchecker --info drivers/vdpa/vdpa_user/vduse_dev.c | tee out ~/smatch/smatch_data/db/reload_partial.sh out kchecker drivers/vdpa/vdpa_user/vduse_dev.c You might need to do a second --info and reload for the changes to propagate. regards, dan carpenter _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() @ 2022-11-28 4:13 ` Dan Carpenter 0 siblings, 0 replies; 9+ messages in thread From: Dan Carpenter @ 2022-11-28 4:13 UTC (permalink / raw) To: Michael S. Tsirkin Cc: Harshit Mogalapalli, harshit.m.mogalapalli, Jason Wang, Xie Yongji, Gautam Dawar, Maxime Coquelin, Guanjun, Parav Pandit, Eli Cohen, virtualization, linux-kernel Btw, after you add the check to vduse_validate_config() you can test that it silences the Smatch warning by doing: kchecker --info drivers/vdpa/vdpa_user/vduse_dev.c | tee out ~/smatch/smatch_data/db/reload_partial.sh out kchecker drivers/vdpa/vdpa_user/vduse_dev.c You might need to do a second --info and reload for the changes to propagate. regards, dan carpenter ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] vduse: Fix a possible warning in vduse_create_dev() 2022-11-27 16:34 ` Michael S. Tsirkin (?) (?) @ 2022-11-28 8:38 ` Harshit Mogalapalli -1 siblings, 0 replies; 9+ messages in thread From: Harshit Mogalapalli @ 2022-11-28 8:38 UTC (permalink / raw) To: Michael S. Tsirkin Cc: error27, harshit.m.mogalapalli, Jason Wang, Xie Yongji, Gautam Dawar, Maxime Coquelin, Guanjun, Parav Pandit, Eli Cohen, virtualization, linux-kernel Hi Micheal, On 27/11/22 10:04 pm, Michael S. Tsirkin wrote: > On Sun, Nov 27, 2022 at 08:16:24AM +0530, Harshit Mogalapalli wrote: >> Hi Micheal, >> >> On 27/11/22 4:52 am, Michael S. Tsirkin wrote: >>> On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: >>>> As 'dev->vq_num' is user-controlled data, if user tries to allocate >>>> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it >>>> creates a stack trace and messes up dmesg with a warning. >>>> >>>> Call trace: >>>> -> vduse_ioctl >>>> --> vduse_create_dev >>>> 'config->vq_num' is user data as it comes from ioctl, which is >>>> assigned to 'dev->vq_num'. >>>> >>>> Add __GFP_NOWARN in order to avoid too large allocation warning. >>>> This is detected by static analysis using smatch. >>>> >>>> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") >>>> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> >>>> --- >>>> drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- >>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c >>>> index 35dceee3ed56..5e9546b16165 100644 >>>> --- a/drivers/vdpa/vdpa_user/vduse_dev.c >>>> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c >>>> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, >>>> dev->config_size = config->config_size; >>>> dev->vq_align = config->vq_align; >>>> dev->vq_num = config->vq_num; >>>> - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); >>>> + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), >>>> + GFP_KERNEL | __GFP_NOWARN); >>>> if (!dev->vqs) >>>> goto err_vqs; >>> >> >> Thanks for checking the patch. >> >>> This is insufficient - the real source of the problem is that >>> vq_num is not validated. >>> The thing to do is to validate config and limit vq_num to 0xffff; >>> >> >> 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, >> 1558 unsigned long arg) >> 1559 { >> 1560 int ret; >> 1561 void __user *argp = (void __user *)arg; >> 1564 mutex_lock(&vduse_lock); >> 1565 switch (cmd) { >> .... >> 1584 case VDUSE_CREATE_DEV: { >> 1585 struct vduse_dev_config config; >> 1587 void *buf; >> 1588 >> 1589 ret = -EFAULT; >> 1590 if (copy_from_user(&config, argp, size)) >> 1591 break; >> 1592 >> 1593 ret = -EINVAL; >> 1594 if (vduse_validate_config(&config) == false) >> 1595 break; >> 1596 >> 1597 buf = vmemdup_user(argp + size, config.config_size); >> 1598 if (IS_ERR(buf)) { >> 1599 ret = PTR_ERR(buf); >> 1600 break; >> 1601 } >> 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; >> 1603 ret = vduse_create_dev(&config, buf, >> control->api_version); >> 1604 if (ret) >> 1605 kvfree(buf); >> 1606 break; >> 1607 } >> >> we have vduse_validate_config() being called in vduse_ioctl() which is the >> caller of vduse_create_dev(), so validate_config() is not necessary in >> vduse_create_dev() ? >> >> Thanks, >> Harshit > > OK but I don't see vduse_validate_config checking vq_num. > right, I have added a limit of 0xffff to vq_num as you suggested in V2. The reason for keeping the limit as 0xffff is the max number of virt queues is the size of vring buffer? Thanks, Harshit >>> >>>> -- >>>> 2.38.1 >>> > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-11-28 8:39 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-11-26 3:59 [PATCH] vduse: Fix a possible warning in vduse_create_dev() Harshit Mogalapalli 2022-11-26 23:22 ` Michael S. Tsirkin 2022-11-26 23:22 ` Michael S. Tsirkin 2022-11-27 2:46 ` Harshit Mogalapalli 2022-11-27 16:34 ` Michael S. Tsirkin 2022-11-27 16:34 ` Michael S. Tsirkin 2022-11-28 4:13 ` Dan Carpenter 2022-11-28 4:13 ` Dan Carpenter 2022-11-28 8:38 ` Harshit Mogalapalli
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.