search for: vhost_set_vr

..._dev_ioctl(&n->dev, ioctl, arg); vhost_net_flush(n); + mutex_unlock(&n->dev.mutex); return r; } } diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index e7b4dea..29f1675 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -288,6 +288,12 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) switch (ioctl) { case VHOST_SET_VRING_NUM: + /* Resizing ring with an active backend? + * You don't want to do that. */ + if (vq->private_data) { + r = -EBUSY; + break; + } r = copy_from_user(&s, argp, sizeof s);...

..._dev_ioctl(&n->dev, ioctl, arg); vhost_net_flush(n); + mutex_unlock(&n->dev.mutex); return r; } } diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index e7b4dea..29f1675 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -288,6 +288,12 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) switch (ioctl) { case VHOST_SET_VRING_NUM: + /* Resizing ring with an active backend? + * You don't want to do that. */ + if (vq->private_data) { + r = -EBUSY; + break; + } r = copy_from_user(&s, argp, sizeof s);...

...s, &used->flags); + int r = put_user(vq->used_flags, &vq->used->flags); if (r) return r; vq->signalled_used_valid = false; - return get_user(vq->last_used_idx, &used->idx); + return get_user(vq->last_used_idx, &vq->used->idx); } static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) @@ -701,10 +700,6 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) } } - r = init_used(vq, (struct vring_used __user *)(unsigned long) - a.used_user_addr); - if (r) - break; vq->log_use...

...s, &used->flags); + int r = put_user(vq->used_flags, &vq->used->flags); if (r) return r; vq->signalled_used_valid = false; - return get_user(vq->last_used_idx, &used->idx); + return get_user(vq->last_used_idx, &vq->used->idx); } static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) @@ -701,10 +700,6 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) } } - r = init_used(vq, (struct vring_used __user *)(unsigned long) - a.used_user_addr); - if (r) - break; vq->log_use...

...AX / sizeof *vq->used->ring - sizeof *vq->used) + return 0; + return vq_memory_access_ok(log_base, vq->dev->memory, vhost_has_feature(vq->dev, VHOST_F_LOG_ALL)) && (!vq->log_used || log_access_ok(log_base, vq->log_addr, @@ -606,12 +617,17 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) } /* Also validate log access for used ring if enabled. */ - if ((a.flags & (0x1 << VHOST_VRING_F_LOG)) && - !log_access_ok(vq->log_base, a.log_guest_addr, + if (a.flags & (0x1 << VHOST_VRING_F_...

...AX / sizeof *vq->used->ring - sizeof *vq->used) + return 0; + return vq_memory_access_ok(log_base, vq->dev->memory, vhost_has_feature(vq->dev, VHOST_F_LOG_ALL)) && (!vq->log_used || log_access_ok(log_base, vq->log_addr, @@ -606,12 +617,17 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) } /* Also validate log access for used ring if enabled. */ - if ((a.flags & (0x1 << VHOST_VRING_F_LOG)) && - !log_access_ok(vq->log_base, a.log_guest_addr, + if (a.flags & (0x1 << VHOST_VRING_F_...

...n's patch is a bit better. OK? drivers/vhost/vhost.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 97233d5..e7b4dea 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -322,6 +322,8 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) r = -EOPNOTSUPP; break; } + /* For 32bit, verify that the top 32bits of the user + data are set to zero. */ if ((u64)(unsigned long)a.desc_user_addr != a.desc_user_addr || (u64)(unsigned long)a.used_user_addr != a.used_...

...n's patch is a bit better. OK? drivers/vhost/vhost.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 97233d5..e7b4dea 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -322,6 +322,8 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) r = -EOPNOTSUPP; break; } + /* For 32bit, verify that the top 32bits of the user + data are set to zero. */ if ((u64)(unsigned long)a.desc_user_addr != a.desc_user_addr || (u64)(unsigned long)a.used_user_addr != a.used_...

...ess_ok(struct vhost_virtqueue *vq) { - return vq_access_ok(vq->num, vq->desc, vq->avail, vq->used) && + return vq_access_ok(vq->dev, vq->num, vq->desc, vq->avail, vq->used,) && vq_log_access_ok(vq, vq->log_base); } @@ -448,7 +449,7 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) * If it is not, we don't as size might not have been setup. * We will verify when backend is configured. */ if (vq->private_data) { - if (!vq_access_ok(vq->num, + if (!vq_access_ok(d, vq->num, (void __user *)(uns...

...ess_ok(struct vhost_virtqueue *vq) { - return vq_access_ok(vq->num, vq->desc, vq->avail, vq->used) && + return vq_access_ok(vq->dev, vq->num, vq->desc, vq->avail, vq->used,) && vq_log_access_ok(vq, vq->log_base); } @@ -448,7 +449,7 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) * If it is not, we don't as size might not have been setup. * We will verify when backend is configured. */ if (vq->private_data) { - if (!vq_access_ok(vq->num, + if (!vq_access_ok(d, vq->num, (void __user *)(uns...

...virtqueue *vq, struct vring_used __user *used) { - int r = put_user(vq->used_flags, &used->flags); + int r; + vq->used = used; + r = vhost_update_used_flags(vq); if (r) return r; return get_user(vq->last_used_idx, &used->idx); @@ -700,7 +702,6 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) vq->desc = (void __user *)(unsigned long)a.desc_user_addr; vq->avail = (void __user *)(unsigned long)a.avail_user_addr; vq->log_addr = a.log_guest_addr; - vq->used = (void __user *)(unsigned long)a.used_user_addr; break;...

...virtqueue *vq, struct vring_used __user *used) { - int r = put_user(vq->used_flags, &used->flags); + int r; + vq->used = used; + r = vhost_update_used_flags(vq); if (r) return r; return get_user(vq->last_used_idx, &used->idx); @@ -700,7 +702,6 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) vq->desc = (void __user *)(unsigned long)a.desc_user_addr; vq->avail = (void __user *)(unsigned long)a.avail_user_addr; vq->log_addr = a.log_guest_addr; - vq->used = (void __user *)(unsigned long)a.used_user_addr; break;...

...cess_ok(struct vhost_virtqueue *vq) { - return vq_access_ok(vq->num, vq->desc, vq->avail, vq->used) && + return vq_access_ok(vq->dev, vq->num, vq->desc, vq->avail, vq->used) && vq_log_access_ok(vq, vq->log_base); } @@ -448,7 +449,7 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) * If it is not, we don't as size might not have been setup. * We will verify when backend is configured. */ if (vq->private_data) { - if (!vq_access_ok(vq->num, + if (!vq_access_ok(d, vq->num, (void __user *)(uns...

...cess_ok(struct vhost_virtqueue *vq) { - return vq_access_ok(vq->num, vq->desc, vq->avail, vq->used) && + return vq_access_ok(vq->dev, vq->num, vq->desc, vq->avail, vq->used) && vq_log_access_ok(vq, vq->log_base); } @@ -448,7 +449,7 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) * If it is not, we don't as size might not have been setup. * We will verify when backend is configured. */ if (vq->private_data) { - if (!vq_access_ok(vq->num, + if (!vq_access_ok(d, vq->num, (void __user *)(uns...

OK, I've been trying to read the vhost and vhost net code, and I'm struggling with basic questions. 1) Why do we allow userspace to change an already-set-up vhost device? Why not have: open() ioctl(VHOST_GET_FEATURES) ioctl(VHOST_SET_VRING) x n (sets num, addresses, kick/call/err fds) ioctl(VHOST_NET_SETUP) ... close() You're not allowed to call things twice: to reset, you close and reopen. That would save a lot of code which I'm not sure is correct anyway. 2) Why do we implement write l...

OK, I've been trying to read the vhost and vhost net code, and I'm struggling with basic questions. 1) Why do we allow userspace to change an already-set-up vhost device? Why not have: open() ioctl(VHOST_GET_FEATURES) ioctl(VHOST_SET_VRING) x n (sets num, addresses, kick/call/err fds) ioctl(VHOST_NET_SETUP) ... close() You're not allowed to call things twice: to reset, you close and reopen. That would save a lot of code which I'm not sure is correct anyway. 2) Why do we implement write l...

...->vqs[i].poll); vhost_poll_flush(&dev->vqs[i].poll); } @@ -322,7 +307,6 @@ void vhost_dev_cleanup(struct vhost_dev *dev) mmput(dev->mm); dev->mm = NULL; - WARN_ON(!list_empty(&dev->work_list)); kthread_stop(dev->worker); } @@ -644,7 +628,7 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) r = -ENOIOCTLCMD; } - if (pollstop && vq->handle_kick) + if (pollstop && vq->work.fn) vhost_poll_stop(&vq->poll); if (ctx) @@ -652,12 +636,12 @@ static long vhost_set_vring(struct vhost_dev *d, int ioct...

...->vqs[i].poll); vhost_poll_flush(&dev->vqs[i].poll); } @@ -322,7 +307,6 @@ void vhost_dev_cleanup(struct vhost_dev *dev) mmput(dev->mm); dev->mm = NULL; - WARN_ON(!list_empty(&dev->work_list)); kthread_stop(dev->worker); } @@ -644,7 +628,7 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) r = -ENOIOCTLCMD; } - if (pollstop && vq->handle_kick) + if (pollstop && vq->work.fn) vhost_poll_stop(&vq->poll); if (ctx) @@ -652,12 +636,12 @@ static long vhost_set_vring(struct vhost_dev *d, int ioct...

...vhost_dev *d, struct vhost_memory __user *m) kfree(newmem); return r; } + + if (!memory_access_ok(d, newmem, vhost_has_feature(d, VHOST_F_LOG_ALL))) + return -EFAULT; oldmem = d->memory; rcu_assign_pointer(d->memory, newmem); synchronize_rcu(); @@ -348,6 +436,29 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) r = -EINVAL; break; } + + /* We only verify access here if backend is configured. + * If it is not, we don't as size might not have been setup. + * We will verify when backend is configured. */ + if (vq->private_data) { +...

...vhost_dev *d, struct vhost_memory __user *m) kfree(newmem); return r; } + + if (!memory_access_ok(d, newmem, vhost_has_feature(d, VHOST_F_LOG_ALL))) + return -EFAULT; oldmem = d->memory; rcu_assign_pointer(d->memory, newmem); synchronize_rcu(); @@ -348,6 +436,29 @@ static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp) r = -EINVAL; break; } + + /* We only verify access here if backend is configured. + * If it is not, we don't as size might not have been setup. + * We will verify when backend is configured. */ + if (vq->private_data) { +...