On Mon, Jul 31, 2023 at 10:19:09AM -0300, Jason Gunthorpe wrote:
On Mon, Jul 31, 2023 at 10:07:32AM +0000, Liu, Yi L wrote:
goto out_put_hwpt;- }
- /*
* Copy the needed fields before reusing the ucmd buffer, this* avoids memory allocation in this path.*/- user_ptr = cmd->data_uptr;
- user_data_len = cmd->data_len;
Uhh, who checks that klen < the temporary stack struct?
Take vtd as an example. The invalidate structure is struct iommu_hwpt_vtd_s1_invalidate[1]. The klen is sizeof(struct iommu_hwpt_vtd_s1_invalidate)[2]. iommu_hwpt_vtd_s1_invalidate is also placed in the temporary stack struct (actually it is a union)[1]. So the klen should be <= temporary stack.
Ohh, I think I would add a few comments noting that the invalidate structs need to be added to that union. Easy to miss.
Added here:
- * Copy the needed fields before reusing the ucmd buffer, this - * avoids memory allocation in this path. + * Copy the needed fields before reusing the ucmd buffer, this avoids + * memory allocation in this path. Again, user invalidate data struct + * must be added to the union ucmd_buffer.
It's not so explicit though. Perhaps worth to have a check like below in this patch?
if (unlikely(klen > sizeof(union ucmd_buffer))) return -EINVAL;
Yes, stick this in the domain allocate path with a WARN_ON. The driver is broken to allocate a domain with an invalid size.
And here too with a WARN_ON_ONCE.
+ /* + * Either the driver is broken by having an invalid size, or the user + * invalidate data struct used by the driver is missing in the union. + */ + if (WARN_ON_ONCE(hwpt->domain->ops->cache_invalidate_user && + (!hwpt->domain->ops->cache_invalidate_user_data_len || + hwpt->domain->ops->cache_invalidate_user_data_len > + sizeof(union ucmd_buffer)))) { + rc = -EINVAL; + goto out_abort; + + }
Though I am making this cache_invalidate_user optional here, I wonder if there actually could be a case that a user-managed domain doesn't need a cache_invalidate_user op...
Thanks Nicolin