On Tue, Feb 02, 2021 at 04:49:50PM +0100, Stefano Garzarella wrote:
> On Tue, Feb 02, 2021 at 09:34:12AM +0000, Stefan Hajnoczi wrote:
> > On Thu, Jan 28, 2021 at 03:41:25PM +0100, Stefano Garzarella wrote:
> > > +static void vdpasim_blk_work(struct work_struct *work)
> > > +{
> > > + struct vdpasim *vdpasim = container_of(work, struct vdpasim, work);
> > > + u8 status = VIRTIO_BLK_S_OK;
> > > + int i;
> > > +
> > > + spin_lock(&vdpasim->lock);
> > > +
> > > + if (!(vdpasim->status & VIRTIO_CONFIG_S_DRIVER_OK))
> > > + goto out;
> > > +
> > > + for (i = 0; i < VDPASIM_BLK_VQ_NUM; i++) {
> > > + struct vdpasim_virtqueue *vq = &vdpasim->vqs[i];
> > > +
> > > + if (!vq->ready)
> > > + continue;
> > > +
> > > + while (vringh_getdesc_iotlb(&vq->vring, &vq->out_iov,
> > > + &vq->in_iov, &vq->head,
> > > + GFP_ATOMIC) > 0) {
> > > + int write;
> > > +
> > > + vq->in_iov.i = vq->in_iov.used - 1;
> > > + write = vringh_iov_push_iotlb(&vq->vring, &vq->in_iov,
> > > + &status, 1);
> > > + if (write <= 0)
> > > + break;
> >
> > This code looks fragile:
> >
> > 1. Relying on unsigned underflow and the while loop in
> > vringh_iov_push_iotlb() to handle the case where in_iov.used == 0 is
> > risky and could break.
> >
> > 2. Does this assume that the last in_iov element has size 1? For
> > example, the guest driver may send a single "in" iovec with size 513
> > when reading 512 bytes (with an extra byte for the request status).
> >
> > Please validate inputs fully, even in test/development code, because
> > it's likely to be copied by others when writing production code (or
> > deployed in production by unsuspecting users) :).
>
> Perfectly agree on that, so I addressed these things, also following your
> review on the previous version, on the next patch of this series:
> "vdpa_sim_blk: implement ramdisk behaviour".
>
> Do you think should I move these checks in this patch?
>
> I did this to leave Max credit for this patch and add more code to emulate a
> ramdisk in later patches.
You could update the commit description so it's clear that input
validation is missing and will be added in the next commit.
Stefan
Attachment:
signature.asc
Description: PGP signature
