> From: Jason Gunthorpe <jgg@xxxxxxxxxx> > Sent: Monday, July 31, 2023 9:19 PM > > On Mon, Jul 31, 2023 at 10:07:32AM +0000, Liu, Yi L wrote: > > > > + goto out_put_hwpt; > > > > + } > > > > + > > > > + /* > > > > + * Copy the needed fields before reusing the ucmd buffer, this > > > > + * avoids memory allocation in this path. > > > > + */ > > > > + user_ptr = cmd->data_uptr; > > > > + user_data_len = cmd->data_len; > > > > > > Uhh, who checks that klen < the temporary stack struct? > > > > Take vtd as an example. The invalidate structure is struct > iommu_hwpt_vtd_s1_invalidate[1]. > > The klen is sizeof(struct iommu_hwpt_vtd_s1_invalidate)[2]. > iommu_hwpt_vtd_s1_invalidate > > is also placed in the temporary stack struct (actually it is a union)[1]. So the klen should > > be <= temporary stack. > > Ohh, I think I would add a few comments noting that the invalidate > structs need to be added to that union. Easy to miss. Sure. Actually, there are some description as below in patch [1]. Would add some as well here. "Cache invalidation path is performance path, so it's better to avoid memory allocation in such path. To achieve it, this path reuses the ucmd_buffer to copy user data. So the new data structures are added in the ucmd_buffer union to avoid overflow." [1] https://lore.kernel.org/linux-iommu/20230724111335.107427-8-yi.l.liu@xxxxxxxxx/ > > It's not so explicit though. Perhaps worth to have a check like below in this patch? > > > > if (unlikely(klen > sizeof(union ucmd_buffer))) > > return -EINVAL; > > Yes, stick this in the domain allocate path with a WARN_ON. The driver > is broken to allocate a domain with an invalid size. Ok. so if any mistake on the data structure, the allocation fails in the first place. Regards, Yi Liu
