From: Yuval Shaia <yuval.shaia@oracle.com>
To: P J P <ppandit@redhat.com>
Cc: Qemu Developers <qemu-devel@nongnu.org>,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Saar Amar <saaramar5@gmail.com>, Li Qiang <liq3ea@163.com>,
Prasad J Pandit <pjp@fedoraproject.org>,
yuval.shaia@oracle.com
Subject: Re: [Qemu-devel] [PATCH 3/5] pvrdma: check number of pages when creating rings
Date: Tue, 11 Dec 2018 17:38:31 +0200 [thread overview]
Message-ID: <20181211153830.GC28105@lap1> (raw)
In-Reply-To: <20181211132642.3027-4-ppandit@redhat.com>
On Tue, Dec 11, 2018 at 06:56:40PM +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> When creating CQ/QP rings, an object can have up to
> PVRDMA_MAX_FAST_REG_PAGES=128 pages. Check 'npages' parameter
> to avoid excessive memory allocation or a null dereference.
>
> Reported-by: Li Qiang <liq3ea@163.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index 4faeb21631..ee2888259c 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -273,6 +273,10 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
> pr_dbg("Failed to map to CQ page table\n");
> goto out;
> }
> + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
> + pr_dbg("invalid nchunks: %d\n", nchunks);
> + goto out;
> + }
>
> r = g_malloc(sizeof(*r));
> *ring = r;
> @@ -389,6 +393,11 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
> pr_dbg("Failed to map to CQ page table\n");
> goto out;
> }
> + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
> + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
> + pr_dbg("invalid pages: %d, %d\n", spages, rpages);
> + goto out;
> + }
>
This check (along with the one in create_cq_ring) better be placed before
mapping to page table.
With or without accepting the suggestion fix LGTM.
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
> sr = g_malloc(2 * sizeof(*rr));
> rr = &sr[1];
> --
> 2.19.2
>
next prev parent reply other threads:[~2018-12-11 15:39 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-11 13:26 [Qemu-devel] [PATCH 0/5] rdma: various issues in rdma/pvrdma backend P J P
2018-12-11 13:26 ` [Qemu-devel] [PATCH 1/5] rdma: check that num_sge does not exceed MAX_SGE P J P
2018-12-11 14:51 ` Yuval Shaia
2018-12-11 13:26 ` [Qemu-devel] [PATCH 2/5] pvrdma: add uar_read routine P J P
2018-12-11 15:22 ` Yuval Shaia
2018-12-12 1:22 ` 李强
2018-12-11 13:26 ` [Qemu-devel] [PATCH 3/5] pvrdma: check number of pages when creating rings P J P
2018-12-11 15:38 ` Yuval Shaia [this message]
2018-12-11 13:26 ` [Qemu-devel] [PATCH 4/5] pvrdma: release ring object in case of an error P J P
2018-12-11 16:47 ` Yuval Shaia
2018-12-11 17:22 ` Yuval Shaia
2018-12-11 20:14 ` P J P
2018-12-12 9:39 ` P J P
2018-12-12 16:52 ` Yuval Shaia
2018-12-12 18:08 ` Yuval Shaia
2018-12-12 18:37 ` P J P
2018-12-11 13:26 ` [Qemu-devel] [PATCH 5/5] pvrdma: check return value from pvrdma_idx_ring_has_ routines P J P
2018-12-11 17:17 ` Yuval Shaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181211153830.GC28105@lap1 \
--to=yuval.shaia@oracle.com \
--cc=liq3ea@163.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=pjp@fedoraproject.org \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=saaramar5@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.