On Wed, Feb 04, 2015 at 02:41:07AM -0800, Nicholas A. Bellinger wrote:
> On Wed, 2015-02-04 at 10:42 +0100, Michael S. Tsirkin wrote:
> > On Wed, Feb 04, 2015 at 01:40:25AM -0800, Nicholas A. Bellinger wrote:
> > > > > + /*
> > > > > + * Any associated T10_PI bytes for the outgoing /
> > > > > incoming
> > > > > + * payloads are included in calculation of exp_data_len
> > > > > here.
> > > > > + */
> > > > > + if (out_size > req_size) {
> > > > > + data_direction = DMA_TO_DEVICE;
> > > > > + exp_data_len = out_size - req_size;
> > > > > + } else if (in_size > rsp_size) {
> > > > > + data_direction = DMA_FROM_DEVICE;
> > > > > + exp_data_len = in_size - rsp_size;
> > > > > + } else {
> > > > > + data_direction = DMA_NONE;
> > > > > + exp_data_len = 0;
> > > > > + }
> > > >
> > > > We must validate this doesn't cause exp_data_len to be negative.
> > > >
> > >
> > > AFAICT, exp_data_len is always >= 0 here.
> >
> > What guarantees out_size > req_size and in_size > rsp_size,
> > respectively?
> >
>
> Mmm, point taken.
>
> So moving this part after copy_from_iter() ensures that at least
> req_size bytes exists of out_size. Making this change now.
>
> For in_size > rsp_size there is no guarantee, and falls back to
> data_direction = DMA_NONE + exp_data_len = 0;
>
> Is this what you had in mind..?
>
> --nab
Hmm what do you mean by "there is no guarantee"?
What will happen if in_size < rsp_size because guest
supplied an invalid descriptor?
--
MST
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
