Hi Michael,
I'm a bit confused about why ubuf_info and heads are UIO_MAXIOV
length arrays, rather than being the size of the ring? In particular,
this is suspicious:
linux/drivers/vhost/net.c:342: struct ubuf_info *ubuf =
&vq->ubuf_info[head];
And it seems to assume we trust head: a malicious guest could put the
same head entry in the ring twice, and we will get two callbacks on the
same value. I don't know what that will do, but I'm not sure it's
harmless.
Thanks,
Rusty.
Apparently Analagous Threads
- drivers/vhost: sizing of ubuf_info and heads
- [PATCH net] vhost/net: fix heads usage of ubuf_info
- [PATCH net] vhost/net: fix heads usage of ubuf_info
- [PATCH RFC 08/13] vhost/net: convert to new API: heads->bufs
- [PATCH] vhost: Move vhost-net zerocopy support fields to net.c
Wisdom of the Ancients
