Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1447448rwb; Fri, 18 Nov 2022 19:28:42 -0800 (PST) X-Google-Smtp-Source: AA0mqf6SKXXOhIL+tzKlR3x69skR3NZUpjN7B9/Qjs4KshzbqAEvlwD1IUo+gU7+0xrADaX62Hng X-Received: by 2002:a17:902:9343:b0:188:d824:dca with SMTP id g3-20020a170902934300b00188d8240dcamr2382333plp.114.1668828522630; Fri, 18 Nov 2022 19:28:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668828522; cv=none; d=google.com; s=arc-20160816; b=QWtHuh0OFA8wxMoPRSNU15l7/eENPH6j2rIOv7qxNNdiuhZztcfhCRUFpOSeIxwI4F /B2j25ulbM8PpIweudBNZ+AeEiOdF4ZEyVWLdqd3cez6NtNePnNZ4TbB7tqZqgABwN5v HLED7XtqpVP/8zjUFCL11XO0cd8Zod2jbfA7ugsF9hqOeCQTmTA6NJtUoZRVDymh9Uwh EoiVDvZXwcnJzYz7ZtjVqB+L3wA/OrZ8/R9uTjuB5wU/qTCY7ssj+rkW+xw8nZVN3iPk /oRS446pj7xpGBLCUKzmDeAJLidI03AtYL0dj/W8MqVyclKQlrIqSUF5+BI+rXWuiQ0t TUaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=4Yjd5xMaWArHs/hCZzzkqikKWyQam6jbgmCv2vrnQpI=; b=jDn0+B/U6lv1rbp7jo1d0g+fN9YIgAXm2bVJmP10Mmf0lLCtxbmUyIZECFzW4daEjP r6+zERv6TsE/JbGWRlSFfjjSzW1F4CjbGxPAJVIP7nteBPYhmwYpaRq+ZzcKVSQZms3j Mq3fW7WmW6qLyOM8iS9Zz7Mf8751j0tDBeq7omUjkQuPqvSGz4PiFfj84+SPaWr2ULoZ tRRUkVpnyKXU7Qcbw9xpg2H5gCjOoe4o4Hnhb1bHiOUJ547DQEWHG0GQYtm3Zz/BFNZL HF1sslV14oV9h/vRlKiQut3Wt95Kbmx8fFh44269z6S+SqR5sbSvyrXxNmPHF0ij9WZP HSAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codewreck.org header.s=2 header.b=LPqodueT; dkim=pass header.i=@codewreck.org header.s=2 header.b=IHEs1h6c; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b9-20020a170903228900b0017dafc02313si6261443plh.92.2022.11.18.19.28.31; Fri, 18 Nov 2022 19:28:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@codewreck.org header.s=2 header.b=LPqodueT; dkim=pass header.i=@codewreck.org header.s=2 header.b=IHEs1h6c; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229683AbiKSCtv (ORCPT + 90 others); Fri, 18 Nov 2022 21:49:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232318AbiKSCti (ORCPT ); Fri, 18 Nov 2022 21:49:38 -0500 Received: from nautica.notk.org (ipv6.notk.org [IPv6:2001:41d0:1:7a93::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF5BEA5723 for ; Fri, 18 Nov 2022 18:32:03 -0800 (PST) Received: by nautica.notk.org (Postfix, from userid 108) id 8213AC009; Sat, 19 Nov 2022 03:32:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1668825128; bh=4Yjd5xMaWArHs/hCZzzkqikKWyQam6jbgmCv2vrnQpI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=LPqodueTv8W769nsonfh2NGZzhx/lbcySLdAbL/SpUyKbjEE7Y6yRdt5BYzmLiQhv Z3xk2Hy/upLOu7/Xa2zGiVECtCF20zVBnFfRYETSnDivcrX2+I/vxUow6CfR6H4d7T 7+IPinfuQxlBpbNDhaNO9DZUq7dDLXdBnnL/P77l7f/R2T16dXIsl7edpHZeVO1a+J PDUKmxo+oRMKjzYAC78Ow2sYGtu+HzXFQDzjOrKzWPs7fykyWBKvGiW5pZPlkyRQFm ngkiFOCO4UJNC/sCaT4kNiN22S8AhrLHP3QxGGSoOJfIxP8wrn6G/f29GNDJEsVZtd A+z4/nGPTea1w== X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from odin.codewreck.org (localhost [127.0.0.1]) by nautica.notk.org (Postfix) with ESMTPS id 28A2FC009; Sat, 19 Nov 2022 03:32:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1668825127; bh=4Yjd5xMaWArHs/hCZzzkqikKWyQam6jbgmCv2vrnQpI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IHEs1h6ctHt0nRgXNeQ3yrzm5E2Q5TQ3S57o/LVHvzw39TgT/xz3eUn8IngZl5G2r cuTISAGGigVoqiOOfN26H/EaIpLy0dkZwNoQOEmIY3IL9fdLLA0g1bt9l3aEVxU/16 52bYP4wGmpRvcth1DLRhE3fVd8KsV+/xrYkyr5R7xqGoLELxHLKaOW8Arn4UXIzjwj xBoWm+9orPMIi3wPtpwndFiIWhkJGD7DH7aDrvOwSr33GBW6siCklUjuWn8vVk/B5f /MLF77j8AZFex3qfzGpswyyMVZMTs4BK2En47LIprm0vUt1Qq0FhhedhicOZVr8/+r +DQWvrqwhGDxQ== Received: from localhost (odin.codewreck.org [local]) by odin.codewreck.org (OpenSMTPD) with ESMTPA id f316aa44; Sat, 19 Nov 2022 02:31:56 +0000 (UTC) Date: Sat, 19 Nov 2022 11:31:41 +0900 From: Dominique Martinet To: Stefano Stabellini Cc: GUO Zihua , linux_oss@crudebyte.com, v9fs-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] 9p/xen: check logical size for buffer size Message-ID: References: <20221118135542.63400-1-asmadeus@codewreck.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks a lot, that was fast! Stefano Stabellini wrote on Fri, Nov 18, 2022 at 05:51:46PM -0800: > On Fri, 18 Nov 2022, Dominique Martinet wrote: > > trans_xen did not check the data fits into the buffer before copying > > from the xen ring, but we probably should. > > Add a check that just skips the request and return an error to > > userspace if it did not fit > > > > Signed-off-by: Dominique Martinet > > --- > > > > This comes more or less as a follow up of a fix for trans_fd: > > https://lkml.kernel.org/r/20221117091159.31533-1-guozihua@huawei.com > > Where msize should be replaced by capacity check, except trans_xen > > did not actually use to check the size fits at all. > > > > While we normally trust the hypervisor (they can probably do whatever > > they want with our memory), a bug in the 9p server is always possible so > > sanity checks never hurt, especially now buffers got drastically smaller > > with a recent patch. > > > > My setup for xen is unfortunately long dead so I cannot test this: > > Stefano, you've tested v9fs xen patches in the past, would you mind > > verifying this works as well? > > > > net/9p/trans_xen.c | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c > > index b15c64128c3e..66ceb3b3ae30 100644 > > --- a/net/9p/trans_xen.c > > +++ b/net/9p/trans_xen.c > > @@ -208,6 +208,14 @@ static void p9_xen_response(struct work_struct *work) > > continue; > > } > > > > + if (h.size > req->rc.capacity) { > > + dev_warn(&priv->dev->dev, > > + "requested packet size too big: %d for tag %d with capacity %zd\n", > > + h.size, h.tag, rreq->rc.capacity); > > "req" instead of "rreq" ugh, sorry for that. I didn't realize I have NET_9P_XEN=n on this machine ... /facepalm I'm lazy so won't bother sending a v2: https://github.com/martinetd/linux/commit/ebd09c8245aa15f15b273e9733e8ed8991db3682 I'll add your Tested-by tomorrow unless you don't want to :) > I made this change and tried the two patches together. Unfortunately I > get the following error as soon as I try to write a file: > > /bin/sh: can't create /mnt/file: Input/output error > > > Next I reverted the second patch and only kept this patch. With that, it > worked as usual. It looks like the second patch is the problem. I have > not investigated further. Thanks -- it's now obvious I shouldn't send patches without testing before bedtime... I could reproduce easily with virtio as well, this one was silly as well (>= instead of >). . . With another problem when zc requests get involved, as we don't actually allocate more than 4k for the rpc itself. If I adjust it to also check with the zc 'inlen' as follow it appears to work: https://github.com/martinetd/linux/commit/162015a0dac40eccc9e8311a5eb031596ad35e82 But that inlen isn't actually precise, and trans_virtio (the only transport implementing zc rpc) actually takes some liberty with the actual sg size to better fit hardwre, so that doesn't really make sense either and we probably should just trust trans_virtio at this point? This isn't obvious, so I'll just drop this patch for now. Checking witih msize isn't any good but it can wait till we sort it out as transports now all already check this one way or another; I'd like to get the actual fixes out first. (Christian, if you have time to look at it and take over I'd appreciate it, but there's no hurry.) Thanks again and sorry for the bad patches! -- Dominique