Stefano Garzarella
2021-Feb-04 17:22 UTC
[PATCH v3 09/13] vhost/vdpa: remove vhost_vdpa_config_validate()
get_config() and set_config() callbacks in the 'struct vdpa_config_ops' usually already validated the inputs. Also now they can return an error, so we don't need to validate them here anymore. Let's use the return value of these callbacks and return it in case of error in vhost_vdpa_get_config() and vhost_vdpa_set_config(). Originally-by: Xie Yongji <xieyongji at bytedance.com> Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> --- drivers/vhost/vdpa.c | 41 +++++++++++++---------------------------- 1 file changed, 13 insertions(+), 28 deletions(-) diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c index ef688c8c0e0e..d61e779000a8 100644 --- a/drivers/vhost/vdpa.c +++ b/drivers/vhost/vdpa.c @@ -185,51 +185,35 @@ static long vhost_vdpa_set_status(struct vhost_vdpa *v, u8 __user *statusp) return 0; } -static int vhost_vdpa_config_validate(struct vhost_vdpa *v, - struct vhost_vdpa_config *c) -{ - long size = 0; - - switch (v->virtio_id) { - case VIRTIO_ID_NET: - size = sizeof(struct virtio_net_config); - break; - } - - if (c->len == 0) - return -EINVAL; - - if (c->len > size - c->off) - return -E2BIG; - - return 0; -} - static long vhost_vdpa_get_config(struct vhost_vdpa *v, struct vhost_vdpa_config __user *c) { struct vdpa_device *vdpa = v->vdpa; struct vhost_vdpa_config config; unsigned long size = offsetof(struct vhost_vdpa_config, buf); + long ret; u8 *buf; if (copy_from_user(&config, c, size)) return -EFAULT; - if (vhost_vdpa_config_validate(v, &config)) + if (config.len == 0) return -EINVAL; buf = kvzalloc(config.len, GFP_KERNEL); if (!buf) return -ENOMEM; - vdpa_get_config(vdpa, config.off, buf, config.len); + ret = vdpa_get_config(vdpa, config.off, buf, config.len); + if (ret) + goto out; if (copy_to_user(c->buf, buf, config.len)) { - kvfree(buf); - return -EFAULT; + ret = -EFAULT; + goto out; } +out: kvfree(buf); - return 0; + return ret; } static long vhost_vdpa_set_config(struct vhost_vdpa *v, @@ -239,21 +223,22 @@ static long vhost_vdpa_set_config(struct vhost_vdpa *v, const struct vdpa_config_ops *ops = vdpa->config; struct vhost_vdpa_config config; unsigned long size = offsetof(struct vhost_vdpa_config, buf); + long ret; u8 *buf; if (copy_from_user(&config, c, size)) return -EFAULT; - if (vhost_vdpa_config_validate(v, &config)) + if (config.len == 0) return -EINVAL; buf = vmemdup_user(c->buf, config.len); if (IS_ERR(buf)) return PTR_ERR(buf); - ops->set_config(vdpa, config.off, buf, config.len); + ret = ops->set_config(vdpa, config.off, buf, config.len); kvfree(buf); - return 0; + return ret; } static long vhost_vdpa_get_features(struct vhost_vdpa *v, u64 __user *featurep) -- 2.29.2
Jason Wang
2021-Feb-05 03:27 UTC
[PATCH v3 09/13] vhost/vdpa: remove vhost_vdpa_config_validate()
On 2021/2/5 ??1:22, Stefano Garzarella wrote:> get_config() and set_config() callbacks in the 'struct vdpa_config_ops' > usually already validated the inputs. Also now they can return an error, > so we don't need to validate them here anymore. > > Let's use the return value of these callbacks and return it in case of > error in vhost_vdpa_get_config() and vhost_vdpa_set_config(). > > Originally-by: Xie Yongji <xieyongji at bytedance.com> > Signed-off-by: Stefano Garzarella <sgarzare at redhat.com> > --- > drivers/vhost/vdpa.c | 41 +++++++++++++---------------------------- > 1 file changed, 13 insertions(+), 28 deletions(-) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index ef688c8c0e0e..d61e779000a8 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -185,51 +185,35 @@ static long vhost_vdpa_set_status(struct vhost_vdpa *v, u8 __user *statusp) > return 0; > } > > -static int vhost_vdpa_config_validate(struct vhost_vdpa *v, > - struct vhost_vdpa_config *c) > -{ > - long size = 0; > - > - switch (v->virtio_id) { > - case VIRTIO_ID_NET: > - size = sizeof(struct virtio_net_config); > - break; > - } > - > - if (c->len == 0) > - return -EINVAL; > - > - if (c->len > size - c->off) > - return -E2BIG; > - > - return 0; > -} > - > static long vhost_vdpa_get_config(struct vhost_vdpa *v, > struct vhost_vdpa_config __user *c) > { > struct vdpa_device *vdpa = v->vdpa; > struct vhost_vdpa_config config; > unsigned long size = offsetof(struct vhost_vdpa_config, buf); > + long ret; > u8 *buf; > > if (copy_from_user(&config, c, size)) > return -EFAULT; > - if (vhost_vdpa_config_validate(v, &config)) > + if (config.len == 0) > return -EINVAL; > buf = kvzalloc(config.len, GFP_KERNEL);Then it means usersapce can allocate a very large memory. Rethink about this, we should limit the size here (e.g PAGE_SIZE) or fetch the config size first (either through a config ops as you suggested or a variable in the vdpa device that is initialized during device creation). Thanks> if (!buf) > return -ENOMEM; > > - vdpa_get_config(vdpa, config.off, buf, config.len); > + ret = vdpa_get_config(vdpa, config.off, buf, config.len); > + if (ret) > + goto out; > > if (copy_to_user(c->buf, buf, config.len)) { > - kvfree(buf); > - return -EFAULT; > + ret = -EFAULT; > + goto out; > } > > +out: > kvfree(buf); > - return 0; > + return ret; > } > > static long vhost_vdpa_set_config(struct vhost_vdpa *v, > @@ -239,21 +223,22 @@ static long vhost_vdpa_set_config(struct vhost_vdpa *v, > const struct vdpa_config_ops *ops = vdpa->config; > struct vhost_vdpa_config config; > unsigned long size = offsetof(struct vhost_vdpa_config, buf); > + long ret; > u8 *buf; > > if (copy_from_user(&config, c, size)) > return -EFAULT; > - if (vhost_vdpa_config_validate(v, &config)) > + if (config.len == 0) > return -EINVAL; > > buf = vmemdup_user(c->buf, config.len); > if (IS_ERR(buf)) > return PTR_ERR(buf); > > - ops->set_config(vdpa, config.off, buf, config.len); > + ret = ops->set_config(vdpa, config.off, buf, config.len); > > kvfree(buf); > - return 0; > + return ret; > } > > static long vhost_vdpa_get_features(struct vhost_vdpa *v, u64 __user *featurep)