> -----Original Message-----
> From: Stephen Hemminger <stephen@xxxxxxxxxxxxxxxxxx>
> Sent: Friday, July 24, 2020 1:11 PM
> To: Andres Beltran <lkmlabelt@xxxxxxxxx>
> Cc: KY Srinivasan <kys@xxxxxxxxxxxxx>; Haiyang Zhang
> <haiyangz@xxxxxxxxxxxxx>; Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>;
> wei.liu@xxxxxxxxxx; linux-hyperv@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; Michael Kelley <mikelley@xxxxxxxxxxxxx>;
> parri.andrea@xxxxxxxxx; Saruhan Karademir <skarade@xxxxxxxxxxxxx>
> Subject: Re: [PATCH] Drivers: hv: vmbus: Fix variable assignments in
> hv_ringbuffer_read()
>
> On Fri, 24 Jul 2020 09:46:06 -0700
> "Andres Beltran" <lkmlabelt@xxxxxxxxx> wrote:
>
> > Assignments to buffer_actual_len and requestid happen before packetlen
> > is checked to be within buflen. If this condition is true,
> > hv_ringbuffer_read() returns with these variables already set to some
> > value even though no data is actually read. This might create
> > inconsistencies in any routine calling hv_ringbuffer_read(). Assign values
> > to such pointers after the packetlen check.
> >
> > Signed-off-by: Andres Beltran <lkmlabelt@xxxxxxxxx>
> > ---
> > drivers/hv/ring_buffer.c | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
> > index 356e22159e83..e277ce7372a4 100644
> > --- a/drivers/hv/ring_buffer.c
> > +++ b/drivers/hv/ring_buffer.c
> > @@ -350,12 +350,13 @@ int hv_ringbuffer_read(struct vmbus_channel
> > *channel,
> >
> > offset = raw ? 0 : (desc->offset8 << 3);
> > packetlen = (desc->len8 << 3) - offset;
> > - *buffer_actual_len = packetlen;
> > - *requestid = desc->trans_id;
> >
> > if (unlikely(packetlen > buflen))
> > return -ENOBUFS;
> >
> > + *buffer_actual_len = packetlen;
> > + *requestid = desc->trans_id;
> > +
> > /* since ring is double mapped, only one copy is necessary */
> > memcpy(buffer, (const char *)desc + offset, packetlen);
> >
>
> What is the rationale for this change, it may break other code.
>
> A common API model in Windows world where this originated
> is to have a call where caller first
> makes request and then if the requested buffer is not big enough the
> caller look at the actual length and allocate a bigger buffer.
>
> Did you audit all the users of this API to make sure they aren't doing that.
I took a quick look. I saw a case which treats the ringbuffer_read as
successful if the buffer_actual_len > 0. So if hv_ringbuffer_read() should
not be fixed this way, then all callers like balloon_onchannelcallback()
need a fix.
1476 static void balloon_onchannelcallback(void *context)
1477 {
1478 struct hv_device *dev = context;
1479 u32 recvlen;
1480 u64 requestid;
1481 struct dm_message *dm_msg;
1482 struct dm_header *dm_hdr;
1483 struct hv_dynmem_device *dm = hv_get_drvdata(dev);
1484 struct dm_balloon *bal_msg;
1485 struct dm_hot_add *ha_msg;
1486 union dm_mem_page_range *ha_pg_range;
1487 union dm_mem_page_range *ha_region;
1488
1489 memset(recv_buffer, 0, sizeof(recv_buffer));
1490 vmbus_recvpacket(dev->channel, recv_buffer,
1491 HV_HYP_PAGE_SIZE, &recvlen, &requestid);
1492
1493 if (recvlen > 0) {
1494 dm_msg = (struct dm_message *)recv_buffer;
1495 dm_hdr = &dm_msg->hdr;
Thanks,
- Haiyang
