Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On 2021/2/10 下午6:08, Stefano Garzarella wrote:
On Tue, Feb 09, 2021 at 04:31:23AM -0500, Michael S. Tsirkin wrote:
On Tue, Feb 09, 2021 at 11:24:03AM +0800, Jason Wang wrote:
On 2021/2/9 上午2:38, Michael S. Tsirkin wrote:
> On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> > It's legal to have 'offset + len' equal to
> > sizeof(struct virtio_net_config), since 'ndev->config' is a
> > 'struct virtio_net_config', so we can safely copy its content under
> > this condition.
> >
> > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported
mlx5 devices")
> > Cc: sta...@vger.kernel.org
> > Signed-off-by: Stefano Garzarella
> > ---
> > drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > index dc88559a8d49..10e9b09932eb 100644
> > --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > @@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct
vdpa_device *vdev, unsigned int offset,
> > struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
> > struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
> > - if (offset + len < sizeof(struct virtio_net_config))
> > + if (offset + len <= sizeof(struct virtio_net_config))
> > memcpy(buf, (u8 *)>config + offset, len);
> > }
> Actually first I am not sure we need these checks at all.
> vhost_vdpa_config_validate already validates the values, right?
I think they're working at different levels. There's no guarantee that
vhost-vdpa is the driver for this vdpa device.
In fact, get_config returns void, so userspace can easily get
trash if it passes incorrect parameters by mistake, there is
no way for userspace to find out whether that is the case :(
Any objections to returning the # of bytes copied, or -1
on error?
Make sense for me, but are we sure we don't break userspace if we
return the number of bytes instead of 0 on success?
I had a quick look at QEMU and it looks like we consider success if
the return value is >= 0, but I need to check further.
So I think in the vdpa bus level, we can return #bytes and in vhost uAPI
level, we can return error if the size is not expected otherwise zero?
Thanks
>
> Second, what will happen when we extend the struct and then
> run new userspace on an old kernel? Looks like it will just
> fail right? So what is the plan?
In this case, get_config() should match the spec behaviour. That is
to say
the size of config space depends on the feature negotiated.
Thanks
Yes but spec says config space can be bigger than specified by features:
Drivers MUST NOT limit structure size and device configuration
space size. Instead, drivers SHOULD only
check that device configuration space is large enough to contain
the fields necessary for device operation.
So IIUC in the driver we should copy as much as we can.
If you agree, I can send an RFC series and we can continue the
discussion on it, but I think we should queue this patch for stable
branches.
Thanks,
Stefano
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Wed, Feb 10, 2021 at 07:12:31AM -0500, Michael S. Tsirkin wrote:
On Wed, Feb 10, 2021 at 12:17:19PM +0800, Jason Wang wrote:
On 2021/2/9 下午5:00, Stefano Garzarella wrote:
> On Tue, Feb 09, 2021 at 07:43:02AM +0200, Eli Cohen wrote:
> > On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> > > It's legal to have 'offset + len' equal to
> > > sizeof(struct virtio_net_config), since 'ndev->config' is a
> > > 'struct virtio_net_config', so we can safely copy its content under
> > > this condition.
> > >
> > > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported
> > > mlx5 devices")
> > > Cc: sta...@vger.kernel.org
> > > Signed-off-by: Stefano Garzarella
> >
> > Acked-by: Eli Cohen
> >
> > BTW, same error in vdpa_sim you may want to fix.
> >
>
> Commit 65b709586e22 ("vdpa_sim: add get_config callback in
> vdpasim_dev_attr") unintentionally solved it.
>
> Since it's a simulator, maybe we can avoid solving it in the stable
> branches. Or does it matter?
I think not, since the module depends on RUNTIME_TESTING_MENU.
Thanks
Well people use the simulator for development...
I'm not going to block this patch on it, but if someone
has the cycles to post a stable branch patch, that would be
great.
Okay, I'll do it.
Thanks,
Stefano
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Wed, Feb 10, 2021 at 12:17:19PM +0800, Jason Wang wrote:
>
> On 2021/2/9 下午5:00, Stefano Garzarella wrote:
> > On Tue, Feb 09, 2021 at 07:43:02AM +0200, Eli Cohen wrote:
> > > On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> > > > It's legal to have 'offset + len' equal to
> > > > sizeof(struct virtio_net_config), since 'ndev->config' is a
> > > > 'struct virtio_net_config', so we can safely copy its content under
> > > > this condition.
> > > >
> > > > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported
> > > > mlx5 devices")
> > > > Cc: sta...@vger.kernel.org
> > > > Signed-off-by: Stefano Garzarella
> > >
> > > Acked-by: Eli Cohen
> > >
> > > BTW, same error in vdpa_sim you may want to fix.
> > >
> >
> > Commit 65b709586e22 ("vdpa_sim: add get_config callback in
> > vdpasim_dev_attr") unintentionally solved it.
> >
> > Since it's a simulator, maybe we can avoid solving it in the stable
> > branches. Or does it matter?
>
>
> I think not, since the module depends on RUNTIME_TESTING_MENU.
>
> Thanks
>
Well people use the simulator for development...
I'm not going to block this patch on it, but if someone
has the cycles to post a stable branch patch, that would be
great.
>
>
> >
> > Thanks,
> > Stefano
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Tue, Feb 09, 2021 at 04:31:23AM -0500, Michael S. Tsirkin wrote:
On Tue, Feb 09, 2021 at 11:24:03AM +0800, Jason Wang wrote:
On 2021/2/9 上午2:38, Michael S. Tsirkin wrote:
> On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> > It's legal to have 'offset + len' equal to
> > sizeof(struct virtio_net_config), since 'ndev->config' is a
> > 'struct virtio_net_config', so we can safely copy its content under
> > this condition.
> >
> > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
devices")
> > Cc: sta...@vger.kernel.org
> > Signed-off-by: Stefano Garzarella
> > ---
> > drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > index dc88559a8d49..10e9b09932eb 100644
> > --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > @@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
> > struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
> > struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
> > - if (offset + len < sizeof(struct virtio_net_config))
> > + if (offset + len <= sizeof(struct virtio_net_config))
> > memcpy(buf, (u8 *)>config + offset, len);
> > }
> Actually first I am not sure we need these checks at all.
> vhost_vdpa_config_validate already validates the values, right?
I think they're working at different levels. There's no guarantee that
vhost-vdpa is the driver for this vdpa device.
In fact, get_config returns void, so userspace can easily get
trash if it passes incorrect parameters by mistake, there is
no way for userspace to find out whether that is the case :(
Any objections to returning the # of bytes copied, or -1
on error?
Make sense for me, but are we sure we don't break userspace if we return
the number of bytes instead of 0 on success?
I had a quick look at QEMU and it looks like we consider success if the
return value is >= 0, but I need to check further.
>
> Second, what will happen when we extend the struct and then
> run new userspace on an old kernel? Looks like it will just
> fail right? So what is the plan?
In this case, get_config() should match the spec behaviour. That is to say
the size of config space depends on the feature negotiated.
Thanks
Yes but spec says config space can be bigger than specified by features:
Drivers MUST NOT limit structure size and device configuration space
size. Instead, drivers SHOULD only
check that device configuration space is large enough to contain the
fields necessary for device operation.
So IIUC in the driver we should copy as much as we can.
If you agree, I can send an RFC series and we can continue the
discussion on it, but I think we should queue this patch for stable
branches.
Thanks,
Stefano
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On 2021/2/9 下午5:00, Stefano Garzarella wrote:
On Tue, Feb 09, 2021 at 07:43:02AM +0200, Eli Cohen wrote:
On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
It's legal to have 'offset + len' equal to
sizeof(struct virtio_net_config), since 'ndev->config' is a
'struct virtio_net_config', so we can safely copy its content under
this condition.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
devices")
Cc: sta...@vger.kernel.org
Signed-off-by: Stefano Garzarella
Acked-by: Eli Cohen
BTW, same error in vdpa_sim you may want to fix.
Commit 65b709586e22 ("vdpa_sim: add get_config callback in
vdpasim_dev_attr") unintentionally solved it.
Since it's a simulator, maybe we can avoid solving it in the stable
branches. Or does it matter?
I think not, since the module depends on RUNTIME_TESTING_MENU.
Thanks
Thanks,
Stefano
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Tue, Feb 09, 2021 at 11:24:03AM +0800, Jason Wang wrote:
>
> On 2021/2/9 上午2:38, Michael S. Tsirkin wrote:
> > On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> > > It's legal to have 'offset + len' equal to
> > > sizeof(struct virtio_net_config), since 'ndev->config' is a
> > > 'struct virtio_net_config', so we can safely copy its content under
> > > this condition.
> > >
> > > Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5
> > > devices")
> > > Cc: sta...@vger.kernel.org
> > > Signed-off-by: Stefano Garzarella
> > > ---
> > > drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > index dc88559a8d49..10e9b09932eb 100644
> > > --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> > > @@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
> > > *vdev, unsigned int offset,
> > > struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
> > > struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
> > > - if (offset + len < sizeof(struct virtio_net_config))
> > > + if (offset + len <= sizeof(struct virtio_net_config))
> > > memcpy(buf, (u8 *)>config + offset, len);
> > > }
> > Actually first I am not sure we need these checks at all.
> > vhost_vdpa_config_validate already validates the values, right?
>
>
> I think they're working at different levels. There's no guarantee that
> vhost-vdpa is the driver for this vdpa device.
In fact, get_config returns void, so userspace can easily get
trash if it passes incorrect parameters by mistake, there is
no way for userspace to find out whether that is the case :(
Any objections to returning the # of bytes copied, or -1
on error?
>
> >
> > Second, what will happen when we extend the struct and then
> > run new userspace on an old kernel? Looks like it will just
> > fail right? So what is the plan?
>
>
> In this case, get_config() should match the spec behaviour. That is to say
> the size of config space depends on the feature negotiated.
>
> Thanks
Yes but spec says config space can be bigger than specified by features:
Drivers MUST NOT limit structure size and device configuration space
size. Instead, drivers SHOULD only
check that device configuration space is large enough to contain the
fields necessary for device operation.
>
> > I think we should
> > allow a bigger size, and return the copied config size to userspace.
> >
> >
> > > --
> > > 2.29.2
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Tue, Feb 09, 2021 at 07:43:02AM +0200, Eli Cohen wrote:
On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
It's legal to have 'offset + len' equal to
sizeof(struct virtio_net_config), since 'ndev->config' is a
'struct virtio_net_config', so we can safely copy its content under
this condition.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Cc: sta...@vger.kernel.org
Signed-off-by: Stefano Garzarella
Acked-by: Eli Cohen
BTW, same error in vdpa_sim you may want to fix.
Commit 65b709586e22 ("vdpa_sim: add get_config callback in
vdpasim_dev_attr") unintentionally solved it.
Since it's a simulator, maybe we can avoid solving it in the stable
branches. Or does it matter?
Thanks,
Stefano
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index dc88559a8d49..10e9b09932eb 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
- if (offset + len < sizeof(struct virtio_net_config))
+ if (offset + len <= sizeof(struct virtio_net_config))
memcpy(buf, (u8 *)>config + offset, len);
}
--
2.29.2
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Tue, Feb 09, 2021 at 11:24:03AM +0800, Jason Wang wrote:
On 2021/2/9 上午2:38, Michael S. Tsirkin wrote:
On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
It's legal to have 'offset + len' equal to
sizeof(struct virtio_net_config), since 'ndev->config' is a
'struct virtio_net_config', so we can safely copy its content under
this condition.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Cc: sta...@vger.kernel.org
Signed-off-by: Stefano Garzarella
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index dc88559a8d49..10e9b09932eb 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
- if (offset + len < sizeof(struct virtio_net_config))
+ if (offset + len <= sizeof(struct virtio_net_config))
memcpy(buf, (u8 *)>config + offset, len);
}
Actually first I am not sure we need these checks at all.
vhost_vdpa_config_validate already validates the values, right?
I think they're working at different levels. There's no guarantee that
vhost-vdpa is the driver for this vdpa device.
Maybe we can do these checks in the vdpa_get_config() helper and we can
also add a vdpa_set_config() to do the same.
Thanks,
Stefano
Second, what will happen when we extend the struct and then
run new userspace on an old kernel? Looks like it will just
fail right? So what is the plan?
In this case, get_config() should match the spec behaviour. That is to
say the size of config space depends on the feature negotiated.
Thanks
I think we should
allow a bigger size, and return the copied config size to userspace.
--
2.29.2
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> It's legal to have 'offset + len' equal to
> sizeof(struct virtio_net_config), since 'ndev->config' is a
> 'struct virtio_net_config', so we can safely copy its content under
> this condition.
>
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Stefano Garzarella
Acked-by: Eli Cohen
BTW, same error in vdpa_sim you may want to fix.
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index dc88559a8d49..10e9b09932eb 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
> *vdev, unsigned int offset,
> struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
> struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
>
> - if (offset + len < sizeof(struct virtio_net_config))
> + if (offset + len <= sizeof(struct virtio_net_config))
> memcpy(buf, (u8 *)>config + offset, len);
> }
>
> --
> 2.29.2
>
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On 2021/2/9 上午2:38, Michael S. Tsirkin wrote:
On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
It's legal to have 'offset + len' equal to
sizeof(struct virtio_net_config), since 'ndev->config' is a
'struct virtio_net_config', so we can safely copy its content under
this condition.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Cc: sta...@vger.kernel.org
Signed-off-by: Stefano Garzarella
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index dc88559a8d49..10e9b09932eb 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
- if (offset + len < sizeof(struct virtio_net_config))
+ if (offset + len <= sizeof(struct virtio_net_config))
memcpy(buf, (u8 *)>config + offset, len);
}
Actually first I am not sure we need these checks at all.
vhost_vdpa_config_validate already validates the values, right?
I think they're working at different levels. There's no guarantee that
vhost-vdpa is the driver for this vdpa device.
Second, what will happen when we extend the struct and then
run new userspace on an old kernel? Looks like it will just
fail right? So what is the plan?
In this case, get_config() should match the spec behaviour. That is to
say the size of config space depends on the feature negotiated.
Thanks
I think we should
allow a bigger size, and return the copied config size to userspace.
--
2.29.2
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On 2021/2/9 上午12:17, Stefano Garzarella wrote:
It's legal to have 'offset + len' equal to
sizeof(struct virtio_net_config), since 'ndev->config' is a
'struct virtio_net_config', so we can safely copy its content under
this condition.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Cc: sta...@vger.kernel.org
Signed-off-by: Stefano Garzarella
Acked-by: Jason Wang
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index dc88559a8d49..10e9b09932eb 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
- if (offset + len < sizeof(struct virtio_net_config))
+ if (offset + len <= sizeof(struct virtio_net_config))
memcpy(buf, (u8 *)>config + offset, len);
}
Re: [PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
On Mon, Feb 08, 2021 at 05:17:41PM +0100, Stefano Garzarella wrote:
> It's legal to have 'offset + len' equal to
> sizeof(struct virtio_net_config), since 'ndev->config' is a
> 'struct virtio_net_config', so we can safely copy its content under
> this condition.
>
> Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Stefano Garzarella
> ---
> drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> index dc88559a8d49..10e9b09932eb 100644
> --- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
> +++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
> @@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
> *vdev, unsigned int offset,
> struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
> struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
>
> - if (offset + len < sizeof(struct virtio_net_config))
> + if (offset + len <= sizeof(struct virtio_net_config))
> memcpy(buf, (u8 *)>config + offset, len);
> }
Actually first I am not sure we need these checks at all.
vhost_vdpa_config_validate already validates the values, right?
Second, what will happen when we extend the struct and then
run new userspace on an old kernel? Looks like it will just
fail right? So what is the plan? I think we should
allow a bigger size, and return the copied config size to userspace.
> --
> 2.29.2
[PATCH] vdpa/mlx5: fix param validation in mlx5_vdpa_get_config()
It's legal to have 'offset + len' equal to
sizeof(struct virtio_net_config), since 'ndev->config' is a
'struct virtio_net_config', so we can safely copy its content under
this condition.
Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
Cc: sta...@vger.kernel.org
Signed-off-by: Stefano Garzarella
---
drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c
b/drivers/vdpa/mlx5/net/mlx5_vnet.c
index dc88559a8d49..10e9b09932eb 100644
--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
+++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
@@ -1820,7 +1820,7 @@ static void mlx5_vdpa_get_config(struct vdpa_device
*vdev, unsigned int offset,
struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
- if (offset + len < sizeof(struct virtio_net_config))
+ if (offset + len <= sizeof(struct virtio_net_config))
memcpy(buf, (u8 *)>config + offset, len);
}
--
2.29.2
