RE: [PATCH] Drivers: hv: vmbus: Fix variable assignments in hv_ringbuffer_read()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx>
> Sent: Friday, July 24, 2020 1:11 PM
> To: Andres Beltran <lkmlabelt@xxxxxxxxx>
> Cc: KY Srinivasan <kys@xxxxxxxxxxxxx>; Haiyang Zhang
> <haiyangz@xxxxxxxxxxxxx>; Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>;
> wei.liu@xxxxxxxxxx; linux-hyperv@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; Michael Kelley <mikelley@xxxxxxxxxxxxx>;
> parri.andrea@xxxxxxxxx; Saruhan Karademir <skarade@xxxxxxxxxxxxx>
> Subject: Re: [PATCH] Drivers: hv: vmbus: Fix variable assignments in
> hv_ringbuffer_read()
> 
> On Fri, 24 Jul 2020 09:46:06 -0700
> "Andres Beltran" <lkmlabelt@xxxxxxxxx> wrote:
> 
> > Assignments to buffer_actual_len and requestid happen before packetlen
> > is checked to be within buflen. If this condition is true,
> > hv_ringbuffer_read() returns with these variables already set to some
> > value even though no data is actually read. This might create
> > inconsistencies in any routine calling hv_ringbuffer_read(). Assign values
> > to such pointers after the packetlen check.
> >
> > Signed-off-by: Andres Beltran <lkmlabelt@xxxxxxxxx>
> > ---
> >  drivers/hv/ring_buffer.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
> > index 356e22159e83..e277ce7372a4 100644
> > --- a/drivers/hv/ring_buffer.c
> > +++ b/drivers/hv/ring_buffer.c
> > @@ -350,12 +350,13 @@ int hv_ringbuffer_read(struct vmbus_channel
> > *channel,
> >
> >  	offset = raw ? 0 : (desc->offset8 << 3);
> >  	packetlen = (desc->len8 << 3) - offset;
> > -	*buffer_actual_len = packetlen;
> > -	*requestid = desc->trans_id;
> >
> >  	if (unlikely(packetlen > buflen))
> >  		return -ENOBUFS;
> >
> > +	*buffer_actual_len = packetlen;
> > +	*requestid = desc->trans_id;
> > +
> >  	/* since ring is double mapped, only one copy is necessary */
> >  	memcpy(buffer, (const char *)desc + offset, packetlen);
> >
> 
> What is the rationale for this change, it may break other code.
> 
> A common API model in Windows world where this originated
> is to have a call where caller first
> makes request and then if the requested buffer is not big enough the
> caller look at the actual length and allocate a bigger buffer.
> 
> Did you audit all the users of this API to make sure they aren't doing that.

I took a quick look. I saw a case which treats the ringbuffer_read as 
successful if the buffer_actual_len > 0. So if hv_ringbuffer_read() should 
not be fixed this way, then all callers like balloon_onchannelcallback() 
need a fix.

1476 static void balloon_onchannelcallback(void *context)
1477 {
1478         struct hv_device *dev = context;
1479         u32 recvlen;
1480         u64 requestid;
1481         struct dm_message *dm_msg;
1482         struct dm_header *dm_hdr;
1483         struct hv_dynmem_device *dm = hv_get_drvdata(dev);
1484         struct dm_balloon *bal_msg;
1485         struct dm_hot_add *ha_msg;
1486         union dm_mem_page_range *ha_pg_range;
1487         union dm_mem_page_range *ha_region;
1488
1489         memset(recv_buffer, 0, sizeof(recv_buffer));
1490         vmbus_recvpacket(dev->channel, recv_buffer,
1491                          HV_HYP_PAGE_SIZE, &recvlen, &requestid);
1492
1493         if (recvlen > 0) {
1494                 dm_msg = (struct dm_message *)recv_buffer;
1495                 dm_hdr = &dm_msg->hdr;

Thanks,
- Haiyang





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux