On Wed, Feb 04, 2015 at 02:41:07AM -0800, Nicholas A. Bellinger wrote:
> On Wed, 2015-02-04 at 10:42 +0100, Michael S. Tsirkin wrote:
> > On Wed, Feb 04, 2015 at 01:40:25AM -0800, Nicholas A. Bellinger wrote:
> > > > > +             /*
> > > > > +              * Any associated T10_PI bytes for the outgoing / 
> > > > > incoming
> > > > > +              * payloads are included in calculation of exp_data_len 
> > > > > here.
> > > > > +              */
> > > > > +             if (out_size > req_size) {
> > > > > +                     data_direction = DMA_TO_DEVICE;
> > > > > +                     exp_data_len = out_size - req_size;
> > > > > +             } else if (in_size > rsp_size) {
> > > > > +                     data_direction = DMA_FROM_DEVICE;
> > > > > +                     exp_data_len = in_size - rsp_size;
> > > > > +             } else {
> > > > > +                     data_direction = DMA_NONE;
> > > > > +                     exp_data_len = 0;
> > > > > +             }
> > > > 
> > > > We must validate this doesn't cause exp_data_len to be negative.
> > > > 
> > > 
> > > AFAICT, exp_data_len is always >= 0 here.
> > 
> > What guarantees out_size > req_size and in_size > rsp_size,
> > respectively?
> > 
> 
> Mmm, point taken.
> 
> So moving this part after copy_from_iter() ensures that at least
> req_size bytes exists of out_size.  Making this change now.
> 
> For in_size > rsp_size there is no guarantee, and falls back to
> data_direction = DMA_NONE + exp_data_len = 0;
> 
> Is this what you had in mind..?
> 
> --nab

Hmm what do you mean by "there is no guarantee"?
What will happen if in_size < rsp_size because guest
supplied an invalid descriptor?

-- 
MST
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to