Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3363033ybb; Tue, 31 Mar 2020 03:49:38 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuIPM0sEkSNPB9qALVddUdR11iSRfVrMR9svuSElMd5JIcGfkXAv0uxPBJ/Sd7KZiWZ0tJG X-Received: by 2002:a05:6830:1159:: with SMTP id x25mr490734otq.110.1585651777860; Tue, 31 Mar 2020 03:49:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585651777; cv=none; d=google.com; s=arc-20160816; b=YjMIOMRlqV96HoaKw1Qdy+27L86ff3X382D2BVeWxklQSPGr1bQYkiKskbFT091pmb VpA1eEE9pECEas2cPUMnpg+p9CZ6nATxW/hZpDQonwVd5Ep23BOW14AUb/uvOtz6KwdT UWho33QMpNGokhVaZPXXCmgT20vDZskCa+/SurlrHN3fRBh6CpCHt3E0vaQ/i/IxjxWD 1fwVPjUgHNdjOywPBaM+u3TXxJyNk6IjKrPryTHfUGLH6i9iMW/zPFkqzbYKS2ac0YLC m4e8T0fGN3TLc6yq8Lc1eAQ6Hija1GKlCLHnMjt61OMotqa9+PRkfX6LeYg3hJxzrW4v 2ubw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=iThbvlqhp+ygGTzgXtGOemYMS5aw5WuZXVSCXkKt354=; b=fVMnJiy/UdBXA0sFRaPN3+Ut1OuAD4KTe02hPUgwBZJ6B4+LQTecqwFJyUtOqlyZMf Eb8NpWGTLacAgu7sJtuR0XPTxradcW2LdEQuAKFPcoYF/q4figvZrgSL4EOY3nQu5Vzb hIuf0TesPMdyMwKalpdFyS3h46ch1ZZ9MflfUP5ih14NuiH8yKeIyMheT/Oidbdq0aH6 0W6mNBPYeQZ/xRvqPbO5DuPutta+O/otLZYz8Kc5X6nQP/FIATKGJfjARloa+OzTHCjY 8q6AZqJcuv7recydNR40Zdr8uV+lc9qZWuJgAz9EjiHe1hsRqcG4YGaU7v7qRG7XB0tw arFw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x63si6785131oia.101.2020.03.31.03.49.24; Tue, 31 Mar 2020 03:49:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730418AbgCaKsm convert rfc822-to-8bit (ORCPT + 99 others); Tue, 31 Mar 2020 06:48:42 -0400 Received: from mga05.intel.com ([192.55.52.43]:52858 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730341AbgCaKsm (ORCPT ); Tue, 31 Mar 2020 06:48:42 -0400 IronPort-SDR: BEymclEx7Qu6XWtvGKhSyOA4MNOzBwVdR8L+Jr0PatHcYNZnUZqFJdhA621QQrHaPD8Tzabio+ U52hAHKVbCNw== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2020 03:48:41 -0700 IronPort-SDR: /KxE8UaVN606pxVD82pMLbaBTRRjTyTVrnwsMDf2oRUpusKQ2fCmIBiu/rYtDf7mmYPvuWqPzq OXpLLRaayGGA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,327,1580803200"; d="scan'208";a="448624636" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga005.fm.intel.com with ESMTP; 31 Mar 2020 03:48:41 -0700 Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 31 Mar 2020 03:48:41 -0700 Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by FMSMSX102.amr.corp.intel.com (10.18.124.200) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 31 Mar 2020 03:48:41 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.225]) by SHSMSX153.ccr.corp.intel.com ([169.254.12.89]) with mapi id 14.03.0439.000; Tue, 31 Mar 2020 18:48:37 +0800 From: "Liu, Yi L" To: Christoph Hellwig CC: "alex.williamson@redhat.com" , "eric.auger@redhat.com" , "jean-philippe@linaro.org" , "Tian, Kevin" , "Raj, Ashok" , "kvm@vger.kernel.org" , "Tian, Jun J" , "iommu@lists.linux-foundation.org" , "linux-kernel@vger.kernel.org" , "Sun, Yi Y" , "Wu, Hao" Subject: RE: [PATCH v1 7/8] vfio/type1: Add VFIO_IOMMU_CACHE_INVALIDATE Thread-Topic: [PATCH v1 7/8] vfio/type1: Add VFIO_IOMMU_CACHE_INVALIDATE Thread-Index: AQHWAEUdcc1u01skwUmp6uBHREsZ66hh3P+AgACUz4A= Date: Tue, 31 Mar 2020 10:48:36 +0000 Message-ID: References: <1584880325-10561-1-git-send-email-yi.l.liu@intel.com> <1584880325-10561-8-git-send-email-yi.l.liu@intel.com> <20200331075603.GB26583@infradead.org> In-Reply-To: <20200331075603.GB26583@infradead.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Hellwig, Thanks for your review, Hellwig. :-) inline reply. > From: Christoph Hellwig > Sent: Tuesday, March 31, 2020 3:56 PM > To: Liu, Yi L > Subject: Re: [PATCH v1 7/8] vfio/type1: Add VFIO_IOMMU_CACHE_INVALIDATE > > > @@ -2629,6 +2638,46 @@ static long vfio_iommu_type1_ioctl(void > *iommu_data, > > } > > kfree(gbind_data); > > return ret; > > + } else if (cmd == VFIO_IOMMU_CACHE_INVALIDATE) { > > Please refactor the spaghetti in this ioctl handler to use a switch statement and a > helper function per command before growing it even more. got it. I may get a separate refactor patch before adding my changes. > > > + /* Get the version of struct iommu_cache_invalidate_info */ > > + if (copy_from_user(&version, > > + (void __user *) (arg + minsz), sizeof(version))) > > + return -EFAULT; > > + > > + info_size = iommu_uapi_get_data_size( > > + IOMMU_UAPI_CACHE_INVAL, version); > > + > > + cache_info = kzalloc(info_size, GFP_KERNEL); > > + if (!cache_info) > > + return -ENOMEM; > > + > > + if (copy_from_user(cache_info, > > + (void __user *) (arg + minsz), info_size)) { > > The user might have changed the version while you were allocating and > freeing the > memory, introducing potentially exploitable racing conditions. yeah, I know the @version is not welcomed in the thread Jacob is driving. I'll adjust the code here once the open in that thread has been solved. But regardless of the version, I'm not sure if I 100% got your point. Could you elaborate a bit? BTW. The code somehow referenced the code below. The basic flow is copying partial data from __arg and then copy the rest data after figuring out how much left. The difference betwen below code and my code is just different way to figure out left data size. Since I'm not sure if I got your point. If the racing is true in such flow, I guess there are quite a few places need to enhance. vfio_pci_ioctl(){ { ... } else if (cmd == VFIO_DEVICE_SET_IRQS) { struct vfio_irq_set hdr; u8 *data = NULL; int max, ret = 0; size_t data_size = 0; minsz = offsetofend(struct vfio_irq_set, count); if (copy_from_user(&hdr, (void __user *)arg, minsz)) return -EFAULT; max = vfio_pci_get_irq_count(vdev, hdr.index); ret = vfio_set_irqs_validate_and_prepare(&hdr, max, VFIO_PCI_NUM_IRQS, &data_size); if (ret) return ret; if (data_size) { data = memdup_user((void __user *)(arg + minsz), data_size); if (IS_ERR(data)) return PTR_ERR(data); } mutex_lock(&vdev->igate); ret = vfio_pci_set_irqs_ioctl(vdev, hdr.flags, hdr.index, hdr.start, hdr.count, data); mutex_unlock(&vdev->igate); kfree(data); return ret; } else if (cmd == VFIO_DEVICE_RESET) { ... } Regards, Yi Liu