| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Feb 2021 11:26:31 +0800
From: Jason Wang <jasowang@...hat.com>
To: Stefano Garzarella <sgarzare@...hat.com>
Cc: virtualization@...ts.linux-foundation.org,
Xie Yongji <xieyongji@...edance.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
Laurent Vivier <lvivier@...hat.com>,
Stefan Hajnoczi <stefanha@...hat.com>,
linux-kernel@...r.kernel.org, Max Gurtovoy <mgurtovoy@...dia.com>,
kvm@...r.kernel.org
Subject: Re: [PATCH RFC v2 03/10] vringh: reset kiov 'consumed' field in
__vringh_iov()
On 2021/2/1 下午6:21, Stefano Garzarella wrote:
> On Mon, Feb 01, 2021 at 01:40:01PM +0800, Jason Wang wrote:
>>
>> On 2021/1/28 下午10:41, Stefano Garzarella wrote:
>>> __vringh_iov() overwrites the contents of riov and wiov, in fact it
>>> resets the 'i' and 'used' fields, but also the consumed field should
>>> be reset to avoid an inconsistent state.
>>>
>>> Signed-off-by: Stefano Garzarella <sgarzare@...hat.com>
>>
>>
>> I had a question(I remember we had some discussion like this but I
>> forget the conclusion):
>
> Sorry, I forgot to update you.
>
>>
>> I see e.g in vringh_getdesc_kern() it has the following comment:
>>
>> /*
>> * Note that you may need to clean up riov and wiov, even on error!
>> */
>>
>> So it looks to me the correct way is to call vringh_kiov_cleanup()
>> before?
>
> Looking at the code the right pattern should be:
>
> vringh_getdesc_*(..., &out_iov, &in_iov, ...);
>
> // use out_iov and in_iov
>
> vringh_kiov_cleanup(&out_iov);
> vringh_kiov_cleanup(&in_iov);
>
> This because vringh_getdesc_*() calls __vringh_iov() where
> resize_iovec() is called to allocate the iov wrapped by 'struct
> vringh_kiov' and vringh_kiov_cleanup() frees that memory.
>
> Looking better, __vringh_iov() is able to extend a 'vringh_kiov'
> pre-allocated, so in order to avoid to allocate and free the iov for
> each request we can avoid to call vringh_kiov_cleanup(), but this
> patch is needed to avoid an inconsistent state.
>
> And also patch "vdpa_sim: cleanup kiovs in vdpasim_free()" is required
> to free the iov when the device is going away.
>
> Does that make sense to you?
Make sense.
>
> Maybe I should add a comment in vringh.c to explain this better.
Yes, please.
Thanks
>
> Thanks,
> Stefano
>
>>
>> Thanks
>>
>>
>>> ---
>>> drivers/vhost/vringh.c | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
>>> index f68122705719..bee63d68201a 100644
>>> --- a/drivers/vhost/vringh.c
>>> +++ b/drivers/vhost/vringh.c
>>> @@ -290,9 +290,9 @@ __vringh_iov(struct vringh *vrh, u16 i,
>>> return -EINVAL;
>>> if (riov)
>>> - riov->i = riov->used = 0;
>>> + riov->i = riov->used = riov->consumed = 0;
>>> if (wiov)
>>> - wiov->i = wiov->used = 0;
>>> + wiov->i = wiov->used = wiov->consumed = 0;
>>> for (;;) {
>>> void *addr;
>>
>
Powered by blists - more mailing lists