| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210201102120.kvbpbne3spaqv6yz@steredhat>
Date: Mon, 1 Feb 2021 11:21:20 +0100
From: Stefano Garzarella <sgarzare@...hat.com>
To: Jason Wang <jasowang@...hat.com>
Cc: virtualization@...ts.linux-foundation.org,
Xie Yongji <xieyongji@...edance.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
Laurent Vivier <lvivier@...hat.com>,
Stefan Hajnoczi <stefanha@...hat.com>,
linux-kernel@...r.kernel.org, Max Gurtovoy <mgurtovoy@...dia.com>,
kvm@...r.kernel.org
Subject: Re: [PATCH RFC v2 03/10] vringh: reset kiov 'consumed' field in
__vringh_iov()
On Mon, Feb 01, 2021 at 01:40:01PM +0800, Jason Wang wrote:
>
>On 2021/1/28 下午10:41, Stefano Garzarella wrote:
>>__vringh_iov() overwrites the contents of riov and wiov, in fact it
>>resets the 'i' and 'used' fields, but also the consumed field should
>>be reset to avoid an inconsistent state.
>>
>>Signed-off-by: Stefano Garzarella <sgarzare@...hat.com>
>
>
>I had a question(I remember we had some discussion like this but I
>forget the conclusion):
Sorry, I forgot to update you.
>
>I see e.g in vringh_getdesc_kern() it has the following comment:
>
>/*
> * Note that you may need to clean up riov and wiov, even on error!
> */
>
>So it looks to me the correct way is to call vringh_kiov_cleanup()
>before?
Looking at the code the right pattern should be:
vringh_getdesc_*(..., &out_iov, &in_iov, ...);
// use out_iov and in_iov
vringh_kiov_cleanup(&out_iov);
vringh_kiov_cleanup(&in_iov);
This because vringh_getdesc_*() calls __vringh_iov() where
resize_iovec() is called to allocate the iov wrapped by 'struct
vringh_kiov' and vringh_kiov_cleanup() frees that memory.
Looking better, __vringh_iov() is able to extend a 'vringh_kiov'
pre-allocated, so in order to avoid to allocate and free the iov for
each request we can avoid to call vringh_kiov_cleanup(), but this patch
is needed to avoid an inconsistent state.
And also patch "vdpa_sim: cleanup kiovs in vdpasim_free()" is required
to free the iov when the device is going away.
Does that make sense to you?
Maybe I should add a comment in vringh.c to explain this better.
Thanks,
Stefano
>
>Thanks
>
>
>>---
>> drivers/vhost/vringh.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>>diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
>>index f68122705719..bee63d68201a 100644
>>--- a/drivers/vhost/vringh.c
>>+++ b/drivers/vhost/vringh.c
>>@@ -290,9 +290,9 @@ __vringh_iov(struct vringh *vrh, u16 i,
>> return -EINVAL;
>> if (riov)
>>- riov->i = riov->used = 0;
>>+ riov->i = riov->used = riov->consumed = 0;
>> if (wiov)
>>- wiov->i = wiov->used = 0;
>>+ wiov->i = wiov->used = wiov->consumed = 0;
>> for (;;) {
>> void *addr;
>
Powered by blists - more mailing lists