On Wed, Sep 29, 2021 at 02:37:42PM +0300, Dan Carpenter wrote:
> 89 /* The last byte is the status and we checked if the last iov has
> 90 * enough room for it.
> 91 */
> 92 to_push = vringh_kiov_length(&vq->in_iov) - 1;
>
> Are you positive that vringh_kiov_length() cannot be zero? I looked at
> the range_check() and there is no check for "if (*len == 0)".
>
> 93
> 94 to_pull = vringh_kiov_length(&vq->out_iov);
> 95
> 96 bytes = vringh_iov_pull_iotlb(&vq->vring, &vq->out_iov, &hdr,
> 97 sizeof(hdr));
> 98 if (bytes != sizeof(hdr)) {
> 99 dev_err(&vdpasim->vdpa.dev, "request out header too short\n");
> 100 return false;
> 101 }
> 102
> 103 to_pull -= bytes;
>
> The same "bytes" is used for both to_pull and to_push. In this
> assignment it would only be used for the default case which prints an
> error message.
>
Sorry, no. This part is wrong. "bytes" is not used for "to_push"
either here or below. But I still am not sure "*len == 0" or how we
know that "to_push >= VIRTIO_BLK_ID_BYTES".
regards,
dan carpenter
_______________________________________________
Virtualization mailing list
Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
