Re: [RFC PATCH 04/13] vfio/mdev: remove the usage of the list iterator after the loop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On 18. Feb 2022, at 16:12, Jason Gunthorpe <jgg@xxxxxxxx> wrote:
> 
> On Thu, Feb 17, 2022 at 07:48:20PM +0100, Jakob Koschel wrote:
>> It is unsafe to assume that tmp != mdev can only evaluate to false
>> if the break within the list iterator is hit.
>> 
>> When the break is not hit, tmp is set to an address derived from the
>> head element. If mdev would match with that value of tmp it would allow
>> continuing beyond the safety check even if mdev was never found within
>> the list
> 
> I think due to other construction this is not actually possible, but I
> guess it is technically correct
> 
> This seems like just a straight up style fix with nothing to do with
> speculative execution though. Why not just send it as a proper patch?
> 
> Jason

Thank you for your feedback.

I've raised some confusion here, I'm sorry about that.
The idea was to change list_for_each_entry() to set 'pos' to NULL
when the list terminates to avoid invalid usage in speculation.

This will break this code and I therefore included the suggested change
in this RFC. This RFC was not intended to be merged as is.

However, in this example, 'tmp' will be a out-of-bounds pointer
if the loop did finish without hitting the break, so the check past the
loop *could* match 'mdev' even though no break was ever met.

I've now realized that this is probably not realistic iff mdev always
points to a valid struct mdev_device.
(It's a slightly different scenario on PATCH 03/13).

Jakob



[Index of Archives]     [Linux Kernel]     [Kernel Newbies]     [x86 Platform Driver]     [Netdev]     [Linux Wireless]     [Netfilter]     [Bugtraq]     [Linux Filesystems]     [Yosemite Discussion]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]

  Powered by Linux