Linux Virtualization - Dec 2018 - [PATCH] vhost: return EINVAL if iovecs size does not match the message size

On Thu, Dec 13, 2018 at 05:53:50PM +0300, Pavel Tikhomirov
wrote:
> We've failed to copy and process vhost_iotlb_msg so let userspace at
> least know about it. For instance before these patch the code below runs
> without any error:
> 
> int main()
> {
>   struct vhost_msg msg;
>   struct iovec iov;
>   int fd;
> 
>   fd = open("/dev/vhost-net", O_RDWR);
>   if (fd == -1) {
>     perror("open");
>     return 1;
>   }
> 
>   iov.iov_base = &msg;
>   iov.iov_len = sizeof(msg)-4;
> 
>   if (writev(fd, &iov,1) == -1) {
>     perror("writev");
>     return 1;
>   }
> 
>   return 0;
> }
> 
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Thanks for the patch!
> ---
>  drivers/vhost/vhost.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
> index 3a5f81a66d34..03014224ef13 100644
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -1024,8 +1024,10 @@ ssize_t vhost_chr_write_iter(struct vhost_dev *dev,
>  	int type, ret;
>  
>  	ret = copy_from_iter(&type, sizeof(type), from);
> -	if (ret != sizeof(type))
> +	if (ret != sizeof(type)) {
> +		ret = -EINVAL;
>  		goto done;
> +	}
>  
>  	switch (type) {
>  	case VHOST_IOTLB_MSG:
should this be EFAULT rather?
> @@ -1044,8 +1046,10 @@ ssize_t vhost_chr_write_iter(struct vhost_dev *dev,
>  
>  	iov_iter_advance(from, offset);
>  	ret = copy_from_iter(&msg, sizeof(msg), from);
> -	if (ret != sizeof(msg))
> +	if (ret != sizeof(msg)) {
> +		ret = -EINVAL;
>  		goto done;
> +	}
>  	if (vhost_process_iotlb_msg(dev, &msg)) {
>  		ret = -EFAULT;
>  		goto done;
This too?
> -- 
> 2.17.1