Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp76335pxv; Tue, 13 Jul 2021 22:25:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx2fz+CVrL6YPP7ytCAlvjHEWM9KAOiPk6Zhkb/qcL9FNVTKTsaXvKoVgz3DxOQlBMPYX4A X-Received: by 2002:a6b:760e:: with SMTP id g14mr5876943iom.119.1626240338484; Tue, 13 Jul 2021 22:25:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626240338; cv=none; d=google.com; s=arc-20160816; b=Nc5Uo+GT9NnSicl+Ny9PdF+/GMrpIhP7rbq0oiYAnGvT96i131g2za69iDIgBWJkGB 2zo1QzQ6pWFEpRSjEh+UHomVkXyZuWF8TwKlGYDtxgKJRhd7DbYpg98iajg85Kfm+5D6 V74826iQzMqKf9UvVmNveA419ji3sGctAKclkBP2b7FXsUReQX+9oDurH56UE8ikUJhM 3stUUfWOCa+Dj7Q3vlBLwQyf6RbQf7CYrNTNzwdluPeqTCi6e1VxlNBMHWLpBoycQMzn BvIglBjrad0HqXgGrDmSkFrKTz8UhcdI7dRDJ0LRuQqSI8/hsLVl7v+lQDyFove6mVbh xB7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=IR3H7P/Qqdz0+z7mAz+4BcJc0mjzsggsr8mNH8312vk=; b=kJ4jSIFj3L/nPqQ+DoqKfh1HcVKL+x6XE0Q3sAHu9D8iwd1srPM7bCmSxvUMmHYwuS oO1mS+v+pz1dSe4qnMAbdfseUnNvRhD1YjdB/nQVErdXimKVRFaAPW+egzcnSJlyUdCw 2BzPCATsrq4Vh2ZVq16nMm7hS8L43RfQRKGdV8Dm0mtTwUu07TowoGTLQb0gn0nx6UsI wjvIHoPLx6OQDf4V+cq6+sDVOb4ahLKSCBf5usRzwiD7HyDLme8uWyBVvDLF9MaC4t8I P2eOaiHNc+kzQIerL2/ERmH6j9lQAzxyI4+mDuDpVq1B5eeLD+cqSiYJvxZ0EcUOE/wY YkEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=J2IDtTc5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w14si1921506iov.43.2021.07.13.22.25.23; Tue, 13 Jul 2021 22:25:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=J2IDtTc5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237919AbhGNF1K (ORCPT + 99 others); Wed, 14 Jul 2021 01:27:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237910AbhGNF1G (ORCPT ); Wed, 14 Jul 2021 01:27:06 -0400 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71C42C0613DD for ; Tue, 13 Jul 2021 22:24:14 -0700 (PDT) Received: by mail-ej1-x629.google.com with SMTP id hc15so1296994ejc.4 for ; Tue, 13 Jul 2021 22:24:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IR3H7P/Qqdz0+z7mAz+4BcJc0mjzsggsr8mNH8312vk=; b=J2IDtTc5DxsvAMq/DAkPuYqj0Y7dNpRgm5w+Q5Mo3F1Au3zIy957DexG4xM3ot9TeB gz7qUXOBffxs7ZJq8NwJJx3+F2yWdVty637g3WtUU13nzkMXjdWWulrIly/TOJxD+Hyy /NqXLpxJ8/rX9zvF4onj7kuKA/hY855NC/q2nDjsHgyYw3/sSLkn4POQUtEcySzhEGrh CDn9h5b45a/ov20IIHnvFDOFr1x5Vomj6Ve9ZjPNFGa6QG+3p9U0VzK3a00J7z6C/fWK eWV/SVtA1pGWD7wh4Q6+tQY/Bv7Ble6R8AihTwasCDJOPdVPj+NAufXpshOEW+KCfFKO W7Lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IR3H7P/Qqdz0+z7mAz+4BcJc0mjzsggsr8mNH8312vk=; b=sh5fdB94Odic56NnJM9WVXBmh8+JWlYps7M/AK6JhnOsKuIUCCQhYX3roKxJ5t7ohc anUmwnurfOqp8rCMBdc2YbC89sdEMYmfjKgV+aZbu8XgJUsW12aIrSqlUSmbQ45lE+sx JqXp6gS8jCwtPufTOy53s68QLEzvo+VMTagq1Wps+7iabpvMCUiNUbuNB6r8fo+xIGZP RKaPVA9HKhx/KjMsb/qTBTusjF3a8gmOZPdRlSkS9D2UYJbVWMA2KIMUPlhTvhakmbMJ IBYMhYRv4IP+7s6/UEVwZ5tuoUjzTZBXwPohSZbGbeVaPaaDmCMUGfTnQN8XpJ65RNju yDsQ== X-Gm-Message-State: AOAM530LNUGbPauCnAkw2HJnA5Hb2opq3qVTkStJIaAKk4hzuSWZH2RV O2VXRkVgoPQsNCy5SIfSIDLH9vvrAi99Uda9C/GJ X-Received: by 2002:a17:906:4b46:: with SMTP id j6mr10270164ejv.247.1626240253024; Tue, 13 Jul 2021 22:24:13 -0700 (PDT) MIME-Version: 1.0 References: <20210713084656.232-1-xieyongji@bytedance.com> <20210713084656.232-14-xieyongji@bytedance.com> <20210713113114.GL1954@kadam> In-Reply-To: <20210713113114.GL1954@kadam> From: Yongji Xie Date: Wed, 14 Jul 2021 13:24:02 +0800 Message-ID: Subject: Re: [PATCH v9 13/17] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() To: Dan Carpenter Cc: "Michael S. Tsirkin" , Jason Wang , Stefan Hajnoczi , Stefano Garzarella , Parav Pandit , Christoph Hellwig , Christian Brauner , Randy Dunlap , Matthew Wilcox , Al Viro , Jens Axboe , bcrl@kvack.org, Jonathan Corbet , =?UTF-8?Q?Mika_Penttil=C3=A4?= , joro@8bytes.org, Greg KH , He Zhe , Liu Xiaodong , songmuchun@bytedance.com, virtualization , netdev@vger.kernel.org, kvm , linux-fsdevel@vger.kernel.org, iommu@lists.linux-foundation.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 13, 2021 at 7:31 PM Dan Carpenter wrote: > > On Tue, Jul 13, 2021 at 04:46:52PM +0800, Xie Yongji wrote: > > @@ -613,37 +618,28 @@ static void vhost_vdpa_unmap(struct vhost_vdpa *v, u64 iova, u64 size) > > } > > } > > > > -static int vhost_vdpa_process_iotlb_update(struct vhost_vdpa *v, > > - struct vhost_iotlb_msg *msg) > > +static int vhost_vdpa_pa_map(struct vhost_vdpa *v, > > + u64 iova, u64 size, u64 uaddr, u32 perm) > > { > > struct vhost_dev *dev = &v->vdev; > > - struct vhost_iotlb *iotlb = dev->iotlb; > > struct page **page_list; > > unsigned long list_size = PAGE_SIZE / sizeof(struct page *); > > unsigned int gup_flags = FOLL_LONGTERM; > > unsigned long npages, cur_base, map_pfn, last_pfn = 0; > > unsigned long lock_limit, sz2pin, nchunks, i; > > - u64 iova = msg->iova; > > + u64 start = iova; > > long pinned; > > int ret = 0; > > > > - if (msg->iova < v->range.first || > > - msg->iova + msg->size - 1 > v->range.last) > > - return -EINVAL; > > This is not related to your patch, but can the "msg->iova + msg->size" > addition can have an integer overflow. From looking at the callers it > seems like it can. msg comes from: > vhost_chr_write_iter() > --> dev->msg_handler(dev, &msg); > --> vhost_vdpa_process_iotlb_msg() > --> vhost_vdpa_process_iotlb_update() > > If I'm thinking of the right thing then these are allowed to overflow to > 0 because of the " - 1" but not further than that. I believe the check > needs to be something like: > > if (msg->iova < v->range.first || > msg->iova - 1 > U64_MAX - msg->size || > msg->iova + msg->size - 1 > v->range.last) > Make sense. > But writing integer overflow check correctly is notoriously difficult. > Do you think you could send a fix for that which is separate from the > patcheset? We'd want to backport it to stable. > OK, I will send a patch to fix it. Thanks, Yongji