lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 9 Oct 2020 12:05:15 +0800
From:   Jason Wang <jasowang@...hat.com>
To:     Stefano Garzarella <sgarzare@...hat.com>, mst@...hat.com
Cc:     kvm@...r.kernel.org, netdev@...r.kernel.org,
        virtualization@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Rusty Russell <rusty@...tcorp.com.au>
Subject: Re: [PATCH v2] vringh: fix __vringh_iov() when riov and wiov are
 different


On 2020/10/9 上午4:42, Stefano Garzarella wrote:
> If riov and wiov are both defined and they point to different
> objects, only riov is initialized. If the wiov is not initialized
> by the caller, the function fails returning -EINVAL and printing
> "Readable desc 0x... after writable" error message.
>
> This issue happens when descriptors have both readable and writable
> buffers (eg. virtio-blk devices has virtio_blk_outhdr in the readable
> buffer and status as last byte of writable buffer) and we call
> __vringh_iov() to get both type of buffers in two different iovecs.
>
> Let's replace the 'else if' clause with 'if' to initialize both
> riov and wiov if they are not NULL.
>
> As checkpatch pointed out, we also avoid crashing the kernel
> when riov and wiov are both NULL, replacing BUG() with WARN_ON()
> and returning -EINVAL.


It looks like I met the exact similar issue when developing ctrl vq 
support (which requires both READ and WRITE descriptor).

While I was trying to fix the issue I found the following comment:

  * Note that you may need to clean up riov and wiov, even on error!
  */
int vringh_getdesc_iotlb(struct vringh *vrh,

I saw some driver call vringh_kiov_cleanup().

So I just follow to use that.

I'm not quite sure which one is better.

Thanks


>
> Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
> Cc: stable@...r.kernel.org
> Signed-off-by: Stefano Garzarella <sgarzare@...hat.com>
> ---
>   drivers/vhost/vringh.c | 9 +++++----
>   1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
> index e059a9a47cdf..8bd8b403f087 100644
> --- a/drivers/vhost/vringh.c
> +++ b/drivers/vhost/vringh.c
> @@ -284,13 +284,14 @@ __vringh_iov(struct vringh *vrh, u16 i,
>   	desc_max = vrh->vring.num;
>   	up_next = -1;
>   
> +	/* You must want something! */
> +	if (WARN_ON(!riov && !wiov))
> +		return -EINVAL;
> +
>   	if (riov)
>   		riov->i = riov->used = 0;
> -	else if (wiov)
> +	if (wiov)
>   		wiov->i = wiov->used = 0;
> -	else
> -		/* You must want something! */
> -		BUG();
>   
>   	for (;;) {
>   		void *addr;

Powered by blists - more mailing lists