From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 923FEC433EF for ; Wed, 23 Feb 2022 02:05:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236709AbiBWCGF (ORCPT ); Tue, 22 Feb 2022 21:06:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236696AbiBWCGE (ORCPT ); Tue, 22 Feb 2022 21:06:04 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EA983403D2 for ; Tue, 22 Feb 2022 18:05:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645581936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=buzVwsZLq0iXCXG61A4X5ZxneH6xdRKfjx8nNyDkCvI=; b=Td0l9e/wYtCV79TYo93Lvp+EBlUf77o1/fZHWmNaf+fICOcUcnryMcL7phTe3VZoFbBROT ayCKI1woWGQ63CcAI6m9EbniJq9rwg6EG5OBHuxsBvFbM8nY+87RewoUW6GAZ8Wrl49AFd jjvn1HNugnfEDlfDLoF0tUgggoRw8vs= Received: from mail-lf1-f69.google.com (mail-lf1-f69.google.com [209.85.167.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-563-4lxsxhUlOk-18uFT3AQIlQ-1; Tue, 22 Feb 2022 21:05:34 -0500 X-MC-Unique: 4lxsxhUlOk-18uFT3AQIlQ-1 Received: by mail-lf1-f69.google.com with SMTP id c25-20020a056512325900b0043fc8f2e1f6so3022343lfr.6 for ; Tue, 22 Feb 2022 18:05:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=buzVwsZLq0iXCXG61A4X5ZxneH6xdRKfjx8nNyDkCvI=; b=ggIjMEFliEC3d9BypwrEb3Q09lXh96GrMZnUD9Cmtg2/FG3KCn4HRm5HC4mJvpyJlt vthHoEho/Ltalxek6Bby9t7HEcflK5vWC3Fi6SpDi/P5SVle4CUDol1J5b2tiKt3j6hP r0YWZJwdSaB1Xmf6CKnecrbTySO+wsXJI2lurHnqfE6/OiXHrZFiqziWEKCnFFHmUTpQ kPOFScZOOwEtb/XklCYpQwXa0IXGGdHcZMMS2xVlA6ms7tp+h3nX7vhNTZFOFz4iXPCD IDE5p5hIuokseA9hTP5YoqYNfcZAR9u8llT4OgpBcnYPgSCA4egmEbvfPAvM0VPdCDo7 HCGg== X-Gm-Message-State: AOAM531oL9SCPpdoQEv2MQ+BorD8E8ip4JNgVWrH7xpBAOMqa3H+Wvhy IDpS2DqQvjocBP723/PCaIqskc8WbHFOoYzkg1GAEMB5L3sOrEh89aY1G7sKogUQvhkSw+enzxV lC9UZfGioON6w2y8xs3YBrHpRXJiVZrGW6/baWjdp X-Received: by 2002:ac2:5f68:0:b0:438:6751:6b83 with SMTP id c8-20020ac25f68000000b0043867516b83mr18922169lfc.376.1645581933100; Tue, 22 Feb 2022 18:05:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJxAHX+x2jwWdLU2x8SL6Qst3i9MqySV/buhDdfIJdvq9F0y/5J2MvOgBJXvw97jTjnOtyWiXmfjF5o4Wdrm/Uk= X-Received: by 2002:ac2:5f68:0:b0:438:6751:6b83 with SMTP id c8-20020ac25f68000000b0043867516b83mr18922150lfc.376.1645581932830; Tue, 22 Feb 2022 18:05:32 -0800 (PST) MIME-Version: 1.0 References: <20220221195303.13560-1-mail@anirudhrb.com> <20220222090511-mutt-send-email-mst@kernel.org> In-Reply-To: <20220222090511-mutt-send-email-mst@kernel.org> From: Jason Wang Date: Wed, 23 Feb 2022 10:05:21 +0800 Message-ID: Subject: Re: [PATCH] vhost: validate range size before adding to iotlb To: "Michael S. Tsirkin" Cc: Anirudh Rayabharam , syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com, kvm , virtualization , netdev , linux-kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 22, 2022 at 11:02 PM Michael S. Tsirkin wrote: > > On Tue, Feb 22, 2022 at 03:11:07PM +0800, Jason Wang wrote: > > On Tue, Feb 22, 2022 at 12:57 PM Anirudh Rayabharam wrote: > > > > > > On Tue, Feb 22, 2022 at 10:50:20AM +0800, Jason Wang wrote: > > > > On Tue, Feb 22, 2022 at 3:53 AM Anirudh Rayabharam wrote: > > > > > > > > > > In vhost_iotlb_add_range_ctx(), validate the range size is non-zero > > > > > before proceeding with adding it to the iotlb. > > > > > > > > > > Range size can overflow to 0 when start is 0 and last is (2^64 - 1). > > > > > One instance where it can happen is when userspace sends an IOTLB > > > > > message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an > > > > > entry with size = 0, start = 0, last = (2^64 - 1) ends up in the > > > > > iotlb. Next time a packet is sent, iotlb_access_ok() loops > > > > > indefinitely due to that erroneous entry: > > > > > > > > > > Call Trace: > > > > > > > > > > iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 > > > > > vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 > > > > > vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 > > > > > vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 > > > > > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > > > > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > > > > > > > > > > > > > > Reported by syzbot at: > > > > > https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 > > > > > > > > > > Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > > > > > Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > > > > > Signed-off-by: Anirudh Rayabharam > > > > > --- > > > > > drivers/vhost/iotlb.c | 6 ++++-- > > > > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > > > > > > > diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c > > > > > index 670d56c879e5..b9de74bd2f9c 100644 > > > > > --- a/drivers/vhost/iotlb.c > > > > > +++ b/drivers/vhost/iotlb.c > > > > > @@ -53,8 +53,10 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > > > > > void *opaque) > > > > > { > > > > > struct vhost_iotlb_map *map; > > > > > + u64 size = last - start + 1; > > > > > > > > > > - if (last < start) > > > > > + // size can overflow to 0 when start is 0 and last is (2^64 - 1). > > > > > + if (last < start || size == 0) > > > > > return -EFAULT; > > > > > > > > I'd move this check to vhost_chr_iter_write(), then for the device who > > > > has its own msg handler (e.g vDPA) can benefit from it as well. > > > > > > Thanks for reviewing! > > > > > > I kept the check here thinking that all devices would benefit from it > > > because they would need to call vhost_iotlb_add_range() to add an entry > > > to the iotlb. Isn't that correct? > > > > Correct for now but not for the future, it's not guaranteed that the > > per device iotlb message handler will use vhost iotlb. > > > > But I agree that we probably don't need to care about it too much now. > > > > > Do you see any other benefit in moving > > > it to vhost_chr_iter_write()? > > > > > > One concern I have is that if we move it out some future caller to > > > vhost_iotlb_add_range() might forget to handle this case. > > > > Yes. > > > > Rethink the whole fix, we're basically rejecting [0, ULONG_MAX] range > > which seems a little bit odd. > > Well, I guess ideally we'd split this up as two entries - this kind of > thing is after all one of the reasons we initially used first,last as > the API - as opposed to first,size. > > Anirudh, could you do it like this instead of rejecting? > > > > I wonder if it's better to just remove > > the map->size. Having a quick glance at the the user, I don't see any > > blocker for this. > > > > Thanks > > I think it's possible but won't solve the bug by itself, and we'd need > to review and fix all users - a high chance of introducing > another regression. And I think there's value of fitting under the > stable rule of 100 lines with context. > So sure, but let's fix the bug first. Ok, I agree. Thanks > > > > > > > > > Thanks! > > > > > > - Anirudh. > > > > > > > > > > > Thanks > > > > > > > > > > > > > > if (iotlb->limit && > > > > > @@ -69,7 +71,7 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > > > > > return -ENOMEM; > > > > > > > > > > map->start = start; > > > > > - map->size = last - start + 1; > > > > > + map->size = size; > > > > > map->last = last; > > > > > map->addr = addr; > > > > > map->perm = perm; > > > > > -- > > > > > 2.35.1 > > > > > > > > > > > > >