From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A134BC77B7A for ; Wed, 31 May 2023 05:51:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 3469E40320; Wed, 31 May 2023 05:51:00 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 3469E40320 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IEJAzVcX X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J187SlaylRqA; Wed, 31 May 2023 05:50:58 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id 2C09C401B7; Wed, 31 May 2023 05:50:58 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 2C09C401B7 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E9031C007C; Wed, 31 May 2023 05:50:57 +0000 (UTC) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 551C8C0037 for ; Wed, 31 May 2023 05:50:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 24E9341F2D for ; Wed, 31 May 2023 05:50:56 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 24E9341F2D Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=IEJAzVcX X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ot56yjpP9PXd for ; Wed, 31 May 2023 05:50:54 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 160514157A Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 160514157A for ; Wed, 31 May 2023 05:50:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685512252; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PTDxJ83kzyYx04HzKK1NgQ0zjDzzvNa+l1xEh9ymVT4=; b=IEJAzVcXmoPhn49O7aWqd3/Ql+jK+suJZvVcVj4SexNn5O2GbwiK3Y7XjXkoS02aZadlJI wCkxx4FXk4YN9YYnPxFXe9Tiyi1s4v+khLpRzybe53LzLMYac0ntcOnCyCGMu+hwPqqHtG eE1CQhFrTG7vRDbK3CmhNoPvOMyrN54= Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-458-YMKJvs4oPuCq_WJVRdVegg-1; Wed, 31 May 2023 01:50:51 -0400 X-MC-Unique: YMKJvs4oPuCq_WJVRdVegg-1 Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-4f4e06b3c6aso3102096e87.0 for ; Tue, 30 May 2023 22:50:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685512249; x=1688104249; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PTDxJ83kzyYx04HzKK1NgQ0zjDzzvNa+l1xEh9ymVT4=; b=EDostv+dsV8AtZmHYTuOlx77+cufX4AZDLK7OSIYeJKpYbsnYci4sojMQWn+FlxDh4 4IWb82GG6aWBbnsth4tXvtMrVB2aFNr0qejzKNKole+4nDtYmD5ndxuhGSYkCutS70K6 2KyR9hQXIsuTl07KE9mJMWZjdnGPMz7LhIzFJ8bWrDat00oXJGZocMsf9zIBzSwJ/lA4 gKiwIHijGQI1942vlPk1lAR3Z/cz5H0L9X+cvklO/70k3pdDc2UrelqfKnaQtPbei8oT T4ZbD/wRCshBCgpmEP3rbMCGT6K8nAyLaJOOO8gu1frvbEfhXrd7El38dGKya1v4B+// I2AA== X-Gm-Message-State: AC+VfDzxvPjwnLvM3t0AcLOPTo5r7y9PEbRDJLu0J8bxH6Cku5B/Yg8q L0BQxLc7AXcROJsKphMmr9oaUtUO34f8BxwNf+M1Nuu7tlL7gkD3HUFenHY3rn0zxlCoAXLwr+Y UBuzkXrKnGk54dHXC4ZNhJzn6cC6OBsesFP/RUGYCT3FPAMPKWg== X-Received: by 2002:ac2:5dcd:0:b0:4f3:afcc:e1c8 with SMTP id x13-20020ac25dcd000000b004f3afcce1c8mr1913949lfq.33.1685512249645; Tue, 30 May 2023 22:50:49 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6UDKIiU+EDqtEdwF604oqkk3QqYNYFWhDlbFb3cp5Z5pGpswQtFFpGxPrnrh+q9oXcFt4/0A== X-Received: by 2002:ac2:5dcd:0:b0:4f3:afcc:e1c8 with SMTP id x13-20020ac25dcd000000b004f3afcce1c8mr1913939lfq.33.1685512249189; Tue, 30 May 2023 22:50:49 -0700 (PDT) Received: from redhat.com ([176.12.143.106]) by smtp.gmail.com with ESMTPSA id z27-20020ac25dfb000000b004eb09820adbsm579635lfq.105.2023.05.30.22.50.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 May 2023 22:50:48 -0700 (PDT) Date: Wed, 31 May 2023 01:50:43 -0400 From: "Michael S. Tsirkin" To: Jason Wang Subject: Re: [PATCH] virtio_ring: validate used buffer length Message-ID: <20230531014326-mutt-send-email-mst@kernel.org> References: <20230526063041.18359-1-jasowang@redhat.com> <20230528033037-mutt-send-email-mst@kernel.org> <20230529055729-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Cc: xuanzhuo@linux.alibaba.com, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org X-BeenThere: virtualization@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux virtualization List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" T24gV2VkLCBNYXkgMzEsIDIwMjMgYXQgMDk6MDU6MDBBTSArMDgwMCwgSmFzb24gV2FuZyB3cm90 ZToKPiBPbiBNb24sIE1heSAyOSwgMjAyMyBhdCA2OjAz4oCvUE0gTWljaGFlbCBTLiBUc2lya2lu IDxtc3RAcmVkaGF0LmNvbT4gd3JvdGU6Cj4gPgo+ID4gT24gTW9uLCBNYXkgMjksIDIwMjMgYXQg MDk6MTg6MTBBTSArMDgwMCwgSmFzb24gV2FuZyB3cm90ZToKPiA+ID4gT24gU3VuLCBNYXkgMjgs IDIwMjMgYXQgMzo1N+KAr1BNIE1pY2hhZWwgUy4gVHNpcmtpbiA8bXN0QHJlZGhhdC5jb20+IHdy b3RlOgo+ID4gPiA+Cj4gPiA+ID4gT24gRnJpLCBNYXkgMjYsIDIwMjMgYXQgMDI6MzA6NDFQTSAr MDgwMCwgSmFzb24gV2FuZyB3cm90ZToKPiA+ID4gPiA+IFRoaXMgcGF0Y2ggdmFsaWRhdGUKPiA+ ID4gPgo+ID4gPiA+IHZhbGlkYXRlcwo+ID4gPiA+Cj4gPiA+ID4gPiB0aGUgdXNlZCBidWZmZXIg bGVuZ3RoIHByb3ZpZGVkIGJ5IHRoZSBkZXZpY2UKPiA+ID4gPiA+IGJlZm9yZSB0cnlpbmcgdG8g dXNlIGl0Lgo+ID4gPiA+Cj4gPiA+ID4gYmVmb3JlIHJldHVybmluZyBpdCB0byBjYWxsZXIKPiA+ ID4gPgo+ID4gPiA+ID4gVGhpcyBpcyBkb25lIGJ5IHJlbWVtYmVyaW5nIHRoZSBpbiBidWZmZXIK PiA+ID4gPiA+IGxlbmd0aCBpbiBhIGRlZGljYXRlZCBhcnJheSBkdXJpbmcgdmlydHF1ZXVlX2Fk ZCgpLCB0aGVuIHdlIGNhbiBmYWlsCj4gPiA+ID4gPiB0aGUgdmlydHF1ZXVlX2dldF9idWYoKSB3 aGVuIHdlIGZpbmQgdGhlIGRldmljZSBpcyB0cnlpbmcgdG8gZ2l2ZSB1cyBhCj4gPiA+ID4gPiB1 c2VkIGJ1ZmZlciBsZW5ndGggd2hpY2ggaXMgZ3JlYXRlciB0aGFuIHdlIHN0b3JlZCBiZWZvcmUu Cj4gPiA+ID4KPiA+ID4gPiB0aGFuIHdoYXQgd2Ugc3RvcmVkCj4gPiA+ID4KPiA+ID4gPiA+Cj4g PiA+ID4gPiBUaGlzIHZhbGlkYXRpb24gaXMgZGlzYWJsZQo+ID4gPiA+Cj4gPiA+ID4gZGlzYWJs ZWQKPiA+ID4gPgo+ID4gPiA+ID4gYnkgZGVmYXVsdCB2aWEgbW9kdWxlIHBhcmFtZXRlciB0byB1 bmJyZWFrCj4gPiA+ID4gPiBzb21lIGV4aXN0aW5nIGRldmljZXMgc2luY2Ugc29tZSBsZWdhY3kg ZGV2aWNlcyBhcmUga25vd24gdG8gcmVwb3J0Cj4gPiA+ID4gPiBidWdneSB1c2VkIGxlbmd0aC4K PiA+ID4gPiA+Cj4gPiA+ID4gPiBTaWduZWQtb2ZmLWJ5OiBKYXNvbiBXYW5nIDxqYXNvd2FuZ0By ZWRoYXQuY29tPgo+ID4gPiA+Cj4gPiA+ID4gRmlyc3QgSSdtIG5vdCBtZXJnaW5nIHRoaXMgd2l0 aG91dCBtb3JlIGRhdGEgYWJvdXQKPiA+ID4gPiB3aGF0IGlzIGtub3duIHRvIGJlIGJyb2tlbiBh bmQgd2hhdCBpcyBrbm93biB0byB3b3JrIHdlbGwKPiA+ID4gPiBpbiB0aGUgY29tbWl0IGxvZy4g QW5kIGhvdyBleGFjdGx5IGRvIHRoaW5ncyB3b3JrIGlmIHVzZWQgbGVuZ3RoCj4gPiA+ID4gaXMg d3Jvbmc/Cj4gPiA+Cj4gPiA+IEFzc3VtaW5nIHRoZSBkZXZpY2UgaXMgbWFsaWNpb3VzLCBpdCB3 b3VsZCBiZSB2ZXJ5IGhhcmQgdG8gYW5zd2VyLgo+ID4gPiBBdWRpdGluZyBhbmQgZnV6emluZyB3 b24ndCBjb3ZlciBldmVyeSBjYXNlLiBJbnN0ZWFkIG9mIHRyeWluZyB0byBzZWVrCj4gPiA+IHRo ZSBhbnN3ZXIsIHdlIGNhbiBzaW1wbHkgbWFrZSBzdXJlIHRoZSB1c2VkIGluIGJ1ZmZlciBsZW5n dGggaXMKPiA+ID4gdmFsaWRhdGVkIHRoZW4gd2Uga25vdyB3ZSdyZSBmaW5lIG9yIG5vdC4KPiA+ Cj4gPiBUbyByZXN0YXRlIHRoZSBxdWVzdGlvbiwgeW91IHNhaWQgYWJvdmUgInNvbWUgbGVnYWN5 IGRldmljZXMgYXJlIGtub3duCj4gPiB0byByZXBvcnQgYnVnZ3kgdXNlZCBsZW5ndGgiLiBJZiB0 aGV5IHJlcG9ydCBidWdneSBsZW5ndGggdGhlbiBob3cKPiA+IGNhbiB0aGluZ3Mgd29yaz8KPiAK PiBUaGUgdmFsaWRhdGlvbiBpcyBkaXNhYmxlZCBmb3IgbGVnYWN5IGRldmljZSAoYXMgc3RhdGVk IGluIHRoZSBjaGFuZ2Vsb2cpOgo+IAo+IHN0YXRpYyBib29sIHZyaW5nX25lZWRzX3VzZWRfdmFs aWRhdGlvbihjb25zdCBzdHJ1Y3QgdmlydGlvX2RldmljZSAqdmRldikKPiB7Cj4gICAgICAgICAv Kgo+ICAgICAgICAgICogU2V2ZXJhbCBsZWdhY3kgZGV2aWNlcyBhcmUga25vd24gdG8gcHJvZHVj ZSBidWdneSB1c2VkCj4gICAgICAgICAgKiBsZW5ndGguIEluIG9yZGVyIHRvIGxldCBkcml2ZXIg d29yaywgd2Ugd29uJ3QgdmFsaWRhdGUgdXNlZAo+ICAgICAgICAgICogYnVmZmVyIGxlbmd0aCBp biB0aGlzIGNhc2UuCj4gICAgICAgICAgKi8KPiAgICAgICAgIGlmICghdmlydGlvX2hhc19mZWF0 dXJlKHZkZXYsIFZJUlRJT19GX1ZFUlNJT05fMSkpCj4gICAgICAgICAgICAgICAgIHJldHVybiBm YWxzZTsKPiAgICAgICAgIGlmIChmb3JjZV91c2VkX3ZhbGlkYXRpb24pCj4gICAgICAgICAgICAg ICAgIHJldHVybiB0cnVlOwo+ICAgICAgICAgcmV0dXJuIGZhbHNlOwo+IH0KPiAKPiBUaGlzIHNl ZW1zIHRvIGJlIHdoYXQgd2UndmUgYWdyZWVkIGluIGxhc3QgdmVyc2lvbjoKPiAKPiBodHRwczov L2xvcmUua2VybmVsLm9yZy9hbGwvQ0FOTHNZa3hmaGFtVVUwYmI0ajd5Nk40X0c5b2RLeExDalh4 Z1hFeDRTSjZfS2YrTTJRQG1haWwuZ21haWwuY29tL1QvI20zMWYzYjA2ZjkwMzJiZWVjMTc1YzMx MmRmYTI1MzJjYjA4YjE1YzU2Cj4gCj4gVGhhbmtzCj4KCkkgZG9uJ3QgZ2V0IGl0LiBZb3Ugd3Jv dGU6CgoJVGhpcyB2YWxpZGF0aW9uIGlzIGRpc2FibGUKCWJ5IGRlZmF1bHQgdmlhIG1vZHVsZSBw YXJhbWV0ZXIgdG8gdW5icmVhawoJc29tZSBleGlzdGluZyBkZXZpY2VzIHNpbmNlIHNvbWUgbGVn YWN5IGRldmljZXMgYXJlIGtub3duIHRvIHJlcG9ydAoJYnVnZ3kgdXNlZCBsZW5ndGguCgp3aGlj aCBkZXZpY2VzPyB3aHkgZG8geW91IG5lZWQgYSBtb2R1bGUgcGFyYW1ldGVyPwoKIAo+ID4KPiA+ ID4gPiBTZWNvbmQgd2hhdCdzIHdyb25nIHdpdGggZG1hX2Rlc2NfZXh0cmEgdGhhdCB3ZSBhbHJl YWR5IG1haW50YWluPwo+ID4gPiA+IFRoaXJkIG1vdGl2YXRpb24gLSBpdCdzIHBhcnQgYW5kIHBh cmNlbCBvZiB0aGUgaGFyZGVuaW5nIGVmZm9ydCB5ZXM/Cj4gPiA+Cj4gPiA+IFRoZXkgYXJlIGRp ZmZlcmVudC4gZG1hX2Rlc2NfZXh0cmEgaXMgZm9yIGEgZGVzY3JpcHRvciByaW5nLCBidXQgdGhp cwo+ID4gPiBpcyBmb3IgYSB1c2VkIHJpbmcuIFRlY2huaWNhbGx5IHdlIGNhbiBnbyBiYWNrIHRv IGl0ZXJhdGUgb24gdGhlCj4gPiA+IGRlc2NyaXB0b3IgcmluZyBmb3IgYSBsZWdhbCB1c2VkIGlu IGJ1ZmZlciBsZW5ndGguIEJ1dCBpdCB3aWxsIGhhdmUKPiA+ID4gd29yc2UgcGVyZm9ybWFuY2Uu Cj4gPgo+ID4gSSBkb24ndCByZWFsbHkgdW5kZXJzdGFuZC4gV2UgYWxyZWFkeSBpdGVyYXRlIHdo ZW4gd2UgdW5tYXAgLQo+ID4gYWxsIHRoYXQgaXMgbmVjZXNzYXJ5IGlzIHRvIHN1YnRyYWN0IGl0 IGZyb20gdXNlZCBsZW5ndGgsIGlmIGF0Cj4gPiB0aGUgZW5kIG9mIHRoZSBwcm9jZXNzIGl0IGlz ID4wIHRoZW4gd2Uga25vdyB1c2VkIGxlbmd0aCBpcyB0b28KPiA+IGxhcmdlLgo+IAo+IFllcywg YnV0IGl0IGlzIHRoZSBqb2IgdGhhdCBpcyBkb25lIGluIHRoZSBkcml2ZXIgbGV2ZWwgbm90IHRo ZSB2aXJ0aW8KPiBjb3JlLgoKV2hhdCBqb2I/IHVubWFwIGlzIGRvbmUgaW4gZGV0YWNoX2J1Zl9z cGxpdCBhbmQgZGV0YWNoX2J1Zl9wYWNrZWQgcmVzcGVjdGl2ZWx5Lgp2cmluZ19kZXNjX2V4dHJh IGlzbid0IGV2ZW4gdmlzaWJsZSBvdXRzaWRlIGRyaXZlcnMvdmlydGlvL3ZpcnRpb19yaW5nLmMK CkZvciBkcml2ZXJzIHRoYXQgZG8gdW5tYXAgYXQgZHJpdmVyIGxldmVsIC0gSSBndWVzcyB0aGV5 IGNhbiBkbwp2YWxpZGF0aW9uIHRoZXJlIHRvby4KCj4gVmFsaWRhdGlvbiBpbiB2aXJ0aW8gY29y ZSBpcyBzdGlsbCBuZWNlc3Nhcnkgc2luY2UgdGhleSdyZQo+IHdvcmtpbmcgYXQgZGlmZmVyZW50 IGxldmVscyBhbmQgaXQncyBoYXJkIHRvIGZvcmNlIHRoZSB2YWxpZGF0aW9uIGluCj4gYWxsIGRy aXZlcnMgYnkgY29kZXMuIExhc3QgdmVyc2lvbiBpbnRyb2R1Y2VzIGEKPiBzdXBwcmVzc19kcml2 ZXJfdmFsaWRhdGlvbiB0byBhbGxvdyB0aGUgZHJpdmVyIHRvIHN1cHByZXNzIHRoZSBjb3JlCj4g dmFsaWRhdGlvbiB3aGljaCBzZWVtcyBub3QgZ29vZCwgd2UgbmVlZCBhIHdheSB0byBmb3JjZSB0 aGUKPiB2aXJ0aW9fcmluZyBjb2RlIHRvIGRvIHZhbGlkYXRpb24gYmVmb3JlLgoKV2h5IGRvIHdl PyBJZiBkcml2ZXIgdmFsaWRhdGVzIGxlbmd0aCB2aXJ0aW9fcmluZyBkb2VzIG5vdCBuZWVkIHRv CnZhbGlkYXRlLiAgSWYgZHJpdmVyIGRvZXMgbm90IHVzZSBsZW5ndGggdmlydGlvX3JpbmcgZG9l cyBub3QgbmVlZCB0bwp2YWxpZGF0ZS4gY29yZSBjYW4gcHJvdmlkZSB0aGlzIHNlcnZpY2UgZm9y IHRoZSBnYXppbGxpb24gbm9uCnBlcmZvcm1hbmNlIGNyaXRpY2FsIGRyaXZlcnMgdGhhdCBqdXN0 IHdhbnQgdG8ga2VlcCB0aGluZ3Mgc2ltcGxlLApidXQgdGhlIDQtNSBjcml0aWNhbCBvbmVzIGNh biBkbyB0aGVpciBvd24gdmFsaWRhdGlvbiBpZiB0aGV5IHdhbnQgdG8uCgo+IE9yIHN1Y2ggc3R1 ZmYgY291bGQgYmUgYWRkZWQKPiBvbiB0b3Agc2luY2UgdGhlIHZhbGlkYXRpb24gaXMgYnkgZGVm YXVsdCBhbnl3YXkuCj4gCj4gVGhhbmtzCgoKCj4gPgo+ID4KPiA+ID4gPiBJJ2QgbGlrZSB0byBr bm93IHRoZSBmYXRlIG9mIFZJUlRJT19IQVJERU5fTk9USUZJQ0FUSU9OIGJlZm9yZQo+ID4gPiA+ IHdlIGRvIG1vcmUgaGFyZGVuaW5nLiBJZiBpdCdzIGlycmV2b2NhYmx5IGJyb2tlbiBsZXQncyBy aXAgaXQgb3V0Pwo+ID4gPgo+ID4gPiBTbyB0aGUgcGxhbiBpcwo+ID4gPgo+ID4gPiAxKSBmaW5p c2ggdXNlZCByaW5nIHZhbGlkYXRpb24gKHRoaXMgaGFkIGJlZW4gcHJvcG9zZWQsIG1lcmdlZCBh bmQKPiA+ID4gcmV2ZXJ0ZWQgYmVmb3JlIG5vdGlmaWNhdGlvbiBoYXJkZW5pbmcpCj4gPiA+IDIp IGRvIG5vdGlmaWNhdGlvbiBoYXJkZW5pbmcgb24gdG9wLgo+ID4gPgo+ID4gPiBTbyBsZXQncyBs ZWF2ZSBpdCBhcyBpcyBhbmQgSSB3aWxsIGRvIGEgcmV3b3JrIGFmdGVyIHdlIGZpbmFsaXplIHRo ZQo+ID4gPiB1c2VkIHJpbmcgdmFsaWRhdGlvbi4KPiA+ID4KPiA+ID4gVGhhbmtzCj4gPiA+Cj4g PiA+ID4KPiA+ID4gPgo+ID4gPiA+ID4gLS0tCj4gPiA+ID4gPiBDaGFuZ2VzIHNpbmNlIFY0Ogo+ ID4gPiA+ID4gLSBkcm9wIHRoZSBmbGF0IGZvciBkcml2ZXIgdG8gc3VwcHJlc3MgdGhlIGNoZWNr Cj4gPiA+ID4gPiAtIHZhbGlkYXRpb24gaXMgZGlzYWJsZWQgYnkgZGVmYXVsdAo+ID4gPiA+ID4g LSBkb24ndCBkbyB2YWxpZGF0aW9uIGZvciBsZWdhY3kgZGV2aWNlCj4gPiA+ID4gPiAtIHJlYmFz ZSBhbmQgc3VwcG9ydCB2aXJ0cXVldWUgcmVzaXplCj4gPiA+ID4gPiAtLS0KPiA+ID4gPiA+ICBk cml2ZXJzL3ZpcnRpby92aXJ0aW9fcmluZy5jIHwgNzUgKysrKysrKysrKysrKysrKysrKysrKysr KysrKysrKysrKysrCj4gPiA+ID4gPiAgMSBmaWxlIGNoYW5nZWQsIDc1IGluc2VydGlvbnMoKykK PiA+ID4gPiA+Cj4gPiA+ID4gPiBkaWZmIC0tZ2l0IGEvZHJpdmVycy92aXJ0aW8vdmlydGlvX3Jp bmcuYyBiL2RyaXZlcnMvdmlydGlvL3ZpcnRpb19yaW5nLmMKPiA+ID4gPiA+IGluZGV4IDE0M2Yz ODBiYWExYy4uNWIxNTE2MDVhYWY4IDEwMDY0NAo+ID4gPiA+ID4gLS0tIGEvZHJpdmVycy92aXJ0 aW8vdmlydGlvX3JpbmcuYwo+ID4gPiA+ID4gKysrIGIvZHJpdmVycy92aXJ0aW8vdmlydGlvX3Jp bmcuYwo+ID4gPiA+ID4gQEAgLTE1LDYgKzE1LDkgQEAKPiA+ID4gPiA+ICAjaW5jbHVkZSA8bGlu dXgvc3BpbmxvY2suaD4KPiA+ID4gPiA+ICAjaW5jbHVkZSA8eGVuL3hlbi5oPgo+ID4gPiA+ID4K PiA+ID4gPiA+ICtzdGF0aWMgYm9vbCBmb3JjZV91c2VkX3ZhbGlkYXRpb24gPSBmYWxzZTsKPiA+ ID4gPiA+ICttb2R1bGVfcGFyYW0oZm9yY2VfdXNlZF92YWxpZGF0aW9uLCBib29sLCAwNDQ0KTsK PiA+ID4gPiA+ICsKPiA+ID4gPiA+ICAjaWZkZWYgREVCVUcKPiA+ID4gPiA+ICAvKiBGb3IgZGV2 ZWxvcG1lbnQsIHdlIHdhbnQgdG8gY3Jhc2ggd2hlbmV2ZXIgdGhlIHJpbmcgaXMgc2NyZXdlZC4g Ki8KPiA+ID4gPiA+ICAjZGVmaW5lIEJBRF9SSU5HKF92cSwgZm10LCBhcmdzLi4uKSAgICAgICAg ICAgICAgICAgICAgICAgICAgXAo+ID4gPiA+ID4gQEAgLTEwNSw2ICsxMDgsOSBAQCBzdHJ1Y3Qg dnJpbmdfdmlydHF1ZXVlX3NwbGl0IHsKPiA+ID4gPiA+ICAgICAgIHN0cnVjdCB2cmluZ19kZXNj X3N0YXRlX3NwbGl0ICpkZXNjX3N0YXRlOwo+ID4gPiA+ID4gICAgICAgc3RydWN0IHZyaW5nX2Rl c2NfZXh0cmEgKmRlc2NfZXh0cmE7Cj4gPiA+ID4gPgo+ID4gPiA+ID4gKyAgICAgLyogTWF4aW11 bSBpbiBidWZmZXIgbGVuZ3RoLCBOVUxMIG1lYW5zIG5vIHVzZWQgdmFsaWRhdGlvbiAqLwo+ID4g PiA+ID4gKyAgICAgdTMyICpidWZsZW47Cj4gPiA+ID4gPiArCj4gPiA+ID4gPiAgICAgICAvKiBE TUEgYWRkcmVzcyBhbmQgc2l6ZSBpbmZvcm1hdGlvbiAqLwo+ID4gPiA+ID4gICAgICAgZG1hX2Fk ZHJfdCBxdWV1ZV9kbWFfYWRkcjsKPiA+ID4gPiA+ICAgICAgIHNpemVfdCBxdWV1ZV9zaXplX2lu X2J5dGVzOwo+ID4gPiA+ID4gQEAgLTE0NSw2ICsxNTEsOSBAQCBzdHJ1Y3QgdnJpbmdfdmlydHF1 ZXVlX3BhY2tlZCB7Cj4gPiA+ID4gPiAgICAgICBzdHJ1Y3QgdnJpbmdfZGVzY19zdGF0ZV9wYWNr ZWQgKmRlc2Nfc3RhdGU7Cj4gPiA+ID4gPiAgICAgICBzdHJ1Y3QgdnJpbmdfZGVzY19leHRyYSAq ZGVzY19leHRyYTsKPiA+ID4gPiA+Cj4gPiA+ID4gPiArICAgICAvKiBNYXhpbXVtIGluIGJ1ZmZl ciBsZW5ndGgsIE5VTEwgbWVhbnMgbm8gdXNlZCB2YWxpZGF0aW9uICovCj4gPiA+ID4gPiArICAg ICB1MzIgKmJ1ZmxlbjsKPiA+ID4gPiA+ICsKPiA+ID4gPiA+ICAgICAgIC8qIERNQSBhZGRyZXNz IGFuZCBzaXplIGluZm9ybWF0aW9uICovCj4gPiA+ID4gPiAgICAgICBkbWFfYWRkcl90IHJpbmdf ZG1hX2FkZHI7Cj4gPiA+ID4gPiAgICAgICBkbWFfYWRkcl90IGRyaXZlcl9ldmVudF9kbWFfYWRk cjsKPiA+ID4gPiA+IEBAIC01NTIsNiArNTYxLDcgQEAgc3RhdGljIGlubGluZSBpbnQgdmlydHF1 ZXVlX2FkZF9zcGxpdChzdHJ1Y3QgdmlydHF1ZXVlICpfdnEsCj4gPiA+ID4gPiAgICAgICB1bnNp Z25lZCBpbnQgaSwgbiwgYXZhaWwsIGRlc2NzX3VzZWQsIHByZXYsIGVycl9pZHg7Cj4gPiA+ID4g PiAgICAgICBpbnQgaGVhZDsKPiA+ID4gPiA+ICAgICAgIGJvb2wgaW5kaXJlY3Q7Cj4gPiA+ID4g PiArICAgICB1MzIgYnVmbGVuID0gMDsKPiA+ID4gPiA+Cj4gPiA+ID4gPiAgICAgICBTVEFSVF9V U0UodnEpOwo+ID4gPiA+ID4KPiA+ID4gPiA+IEBAIC02MzUsNiArNjQ1LDcgQEAgc3RhdGljIGlu bGluZSBpbnQgdmlydHF1ZXVlX2FkZF9zcGxpdChzdHJ1Y3QgdmlydHF1ZXVlICpfdnEsCj4gPiA+ ID4gPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBW UklOR19ERVNDX0ZfTkVYVCB8Cj4gPiA+ID4gPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBWUklOR19ERVNDX0ZfV1JJVEUsCj4gPiA+ID4gPiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbmRpcmVjdCk7 Cj4gPiA+ID4gPiArICAgICAgICAgICAgICAgICAgICAgYnVmbGVuICs9IHNnLT5sZW5ndGg7Cj4g PiA+ID4gPiAgICAgICAgICAgICAgIH0KPiA+ID4gPiA+ICAgICAgIH0KPiA+ID4gPiA+ICAgICAg IC8qIExhc3Qgb25lIGRvZXNuJ3QgY29udGludWUuICovCj4gPiA+ID4gPiBAQCAtNjc1LDYgKzY4 NiwxMCBAQCBzdGF0aWMgaW5saW5lIGludCB2aXJ0cXVldWVfYWRkX3NwbGl0KHN0cnVjdCB2aXJ0 cXVldWUgKl92cSwKPiA+ID4gPiA+ICAgICAgIGVsc2UKPiA+ID4gPiA+ICAgICAgICAgICAgICAg dnEtPnNwbGl0LmRlc2Nfc3RhdGVbaGVhZF0uaW5kaXJfZGVzYyA9IGN0eDsKPiA+ID4gPiA+Cj4g PiA+ID4gPiArICAgICAvKiBTdG9yZSBpbiBidWZmZXIgbGVuZ3RoIGlmIG5lY2Vzc2FyeSAqLwo+ ID4gPiA+ID4gKyAgICAgaWYgKHZxLT5zcGxpdC5idWZsZW4pCj4gPiA+ID4gPiArICAgICAgICAg ICAgIHZxLT5zcGxpdC5idWZsZW5baGVhZF0gPSBidWZsZW47Cj4gPiA+ID4gPiArCj4gPiA+ID4g PiAgICAgICAvKiBQdXQgZW50cnkgaW4gYXZhaWxhYmxlIGFycmF5IChidXQgZG9uJ3QgdXBkYXRl IGF2YWlsLT5pZHggdW50aWwgdGhleQo+ID4gPiA+ID4gICAgICAgICogZG8gc3luYykuICovCj4g PiA+ID4gPiAgICAgICBhdmFpbCA9IHZxLT5zcGxpdC5hdmFpbF9pZHhfc2hhZG93ICYgKHZxLT5z cGxpdC52cmluZy5udW0gLSAxKTsKPiA+ID4gPiA+IEBAIC04NjEsNiArODc2LDExIEBAIHN0YXRp YyB2b2lkICp2aXJ0cXVldWVfZ2V0X2J1Zl9jdHhfc3BsaXQoc3RydWN0IHZpcnRxdWV1ZSAqX3Zx LAo+ID4gPiA+ID4gICAgICAgICAgICAgICBCQURfUklORyh2cSwgImlkICV1IGlzIG5vdCBhIGhl YWQhXG4iLCBpKTsKPiA+ID4gPiA+ICAgICAgICAgICAgICAgcmV0dXJuIE5VTEw7Cj4gPiA+ID4g PiAgICAgICB9Cj4gPiA+ID4gPiArICAgICBpZiAodnEtPnNwbGl0LmJ1ZmxlbiAmJiB1bmxpa2Vs eSgqbGVuID4gdnEtPnNwbGl0LmJ1ZmxlbltpXSkpIHsKPiA+ID4gPiA+ICsgICAgICAgICAgICAg QkFEX1JJTkcodnEsICJ1c2VkIGxlbiAlZCBpcyBsYXJnZXIgdGhhbiBtYXggaW4gYnVmZmVyIGxl biAldVxuIiwKPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICAqbGVuLCB2cS0+c3BsaXQu YnVmbGVuW2ldKTsKPiA+ID4gPiA+ICsgICAgICAgICAgICAgcmV0dXJuIE5VTEw7Cj4gPiA+ID4g PiArICAgICB9Cj4gPiA+ID4gPgo+ID4gPiA+ID4gICAgICAgLyogZGV0YWNoX2J1Zl9zcGxpdCBj bGVhcnMgZGF0YSwgc28gZ3JhYiBpdCBub3cuICovCj4gPiA+ID4gPiAgICAgICByZXQgPSB2cS0+ c3BsaXQuZGVzY19zdGF0ZVtpXS5kYXRhOwo+ID4gPiA+ID4gQEAgLTEwODUsMTAgKzExMDUsMjUg QEAgc3RhdGljIHZvaWQgdnJpbmdfZnJlZV9zcGxpdChzdHJ1Y3QgdnJpbmdfdmlydHF1ZXVlX3Nw bGl0ICp2cmluZ19zcGxpdCwKPiA+ID4gPiA+ICAgICAgICAgICAgICAgICAgICAgICAgdnJpbmdf c3BsaXQtPnF1ZXVlX2RtYV9hZGRyLAo+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgICBk bWFfZGV2KTsKPiA+ID4gPiA+Cj4gPiA+ID4gPiArICAgICBrZnJlZSh2cmluZ19zcGxpdC0+YnVm bGVuKTsKPiA+ID4gPiA+ICAgICAgIGtmcmVlKHZyaW5nX3NwbGl0LT5kZXNjX3N0YXRlKTsKPiA+ ID4gPiA+ICAgICAgIGtmcmVlKHZyaW5nX3NwbGl0LT5kZXNjX2V4dHJhKTsKPiA+ID4gPiA+ICB9 Cj4gPiA+ID4gPgo+ID4gPiA+ID4gK3N0YXRpYyBib29sIHZyaW5nX25lZWRzX3VzZWRfdmFsaWRh dGlvbihjb25zdCBzdHJ1Y3QgdmlydGlvX2RldmljZSAqdmRldikKPiA+ID4gPiA+ICt7Cj4gPiA+ ID4gPiArICAgICAvKgo+ID4gPiA+ID4gKyAgICAgICogU2V2ZXJhbCBsZWdhY3kgZGV2aWNlcyBh cmUga25vd24gdG8gcHJvZHVjZSBidWdneSB1c2VkCj4gPiA+ID4gPiArICAgICAgKiBsZW5ndGgu IEluIG9yZGVyIHRvIGxldCBkcml2ZXIgd29yaywgd2Ugd29uJ3QgdmFsaWRhdGUgdXNlZAo+ID4g PiA+ID4gKyAgICAgICogYnVmZmVyIGxlbmd0aCBpbiB0aGlzIGNhc2UuCj4gPiA+ID4gPiArICAg ICAgKi8KPiA+ID4gPiA+ICsgICAgIGlmICghdmlydGlvX2hhc19mZWF0dXJlKHZkZXYsIFZJUlRJ T19GX1ZFUlNJT05fMSkpCj4gPiA+ID4gPiArICAgICAgICAgICAgIHJldHVybiBmYWxzZTsKPiA+ ID4gPiA+ICsgICAgIGlmIChmb3JjZV91c2VkX3ZhbGlkYXRpb24pCj4gPiA+ID4gPiArICAgICAg ICAgICAgIHJldHVybiB0cnVlOwo+ID4gPiA+ID4gKyAgICAgcmV0dXJuIGZhbHNlOwo+ID4gPiA+ ID4gK30KPiA+ID4gPiA+ICsKPiA+ID4gPiA+ICBzdGF0aWMgaW50IHZyaW5nX2FsbG9jX3F1ZXVl X3NwbGl0KHN0cnVjdCB2cmluZ192aXJ0cXVldWVfc3BsaXQgKnZyaW5nX3NwbGl0LAo+ID4gPiA+ ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3RydWN0IHZpcnRpb19kZXZpY2Ug KnZkZXYsCj4gPiA+ID4gPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1MzIgbnVt LAo+ID4gPiA+ID4gQEAgLTExMzcsNyArMTE3MiwxOSBAQCBzdGF0aWMgaW50IHZyaW5nX2FsbG9j X3F1ZXVlX3NwbGl0KHN0cnVjdCB2cmluZ192aXJ0cXVldWVfc3BsaXQgKnZyaW5nX3NwbGl0LAo+ ID4gPiA+ID4gICAgICAgdnJpbmdfc3BsaXQtPnZyaW5nX2FsaWduID0gdnJpbmdfYWxpZ247Cj4g PiA+ID4gPiAgICAgICB2cmluZ19zcGxpdC0+bWF5X3JlZHVjZV9udW0gPSBtYXlfcmVkdWNlX251 bTsKPiA+ID4gPiA+Cj4gPiA+ID4gPiArICAgICBpZiAodnJpbmdfbmVlZHNfdXNlZF92YWxpZGF0 aW9uKHZkZXYpKSB7Cj4gPiA+ID4gPiArICAgICAgICAgICAgIHZyaW5nX3NwbGl0LT5idWZsZW4g PQo+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAgIGttYWxsb2NfYXJyYXkobnVtLCBzaXpl b2YoKnZyaW5nX3NwbGl0LT5idWZsZW4pLAo+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgR0ZQX0tFUk5FTCk7Cj4gPiA+ID4gPiArICAgICAgICAgICAgIGlmICgh dnJpbmdfc3BsaXQtPmJ1ZmxlbikKPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICBnb3Rv IGVycl9idWZsZW47Cj4gPiA+ID4gPiArICAgICB9Cj4gPiA+ID4gPiArCj4gPiA+ID4gPiAgICAg ICByZXR1cm4gMDsKPiA+ID4gPiA+ICsKPiA+ID4gPiA+ICtlcnJfYnVmbGVuOgo+ID4gPiA+ID4g KyAgICAgdnJpbmdfZnJlZV9zcGxpdCh2cmluZ19zcGxpdCwgdmRldiwgZG1hX2Rldik7Cj4gPiA+ ID4gPiArICAgICByZXR1cm4gLUVOT01FTTsKPiA+ID4gPiA+ICB9Cj4gPiA+ID4gPgo+ID4gPiA+ ID4gIHN0YXRpYyBzdHJ1Y3QgdmlydHF1ZXVlICp2cmluZ19jcmVhdGVfdmlydHF1ZXVlX3NwbGl0 KAo+ID4gPiA+ID4gQEAgLTEyOTcsNiArMTM0NCw3IEBAIHN0YXRpYyBpbnQgdmlydHF1ZXVlX2Fk ZF9pbmRpcmVjdF9wYWNrZWQoc3RydWN0IHZyaW5nX3ZpcnRxdWV1ZSAqdnEsCj4gPiA+ID4gPiAg ICAgICB1bnNpZ25lZCBpbnQgaSwgbiwgZXJyX2lkeDsKPiA+ID4gPiA+ICAgICAgIHUxNiBoZWFk LCBpZDsKPiA+ID4gPiA+ICAgICAgIGRtYV9hZGRyX3QgYWRkcjsKPiA+ID4gPiA+ICsgICAgIHUz MiBidWZsZW4gPSAwOwo+ID4gPiA+ID4KPiA+ID4gPiA+ICAgICAgIGhlYWQgPSB2cS0+cGFja2Vk Lm5leHRfYXZhaWxfaWR4Owo+ID4gPiA+ID4gICAgICAgZGVzYyA9IGFsbG9jX2luZGlyZWN0X3Bh Y2tlZCh0b3RhbF9zZywgZ2ZwKTsKPiA+ID4gPiA+IEBAIC0xMzI1LDYgKzEzNzMsOCBAQCBzdGF0 aWMgaW50IHZpcnRxdWV1ZV9hZGRfaW5kaXJlY3RfcGFja2VkKHN0cnVjdCB2cmluZ192aXJ0cXVl dWUgKnZxLAo+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgIGRlc2NbaV0uYWRkciA9IGNw dV90b19sZTY0KGFkZHIpOwo+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgIGRlc2NbaV0u bGVuID0gY3B1X3RvX2xlMzIoc2ctPmxlbmd0aCk7Cj4gPiA+ID4gPiAgICAgICAgICAgICAgICAg ICAgICAgaSsrOwo+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAgIGlmIChuID49IG91dF9z Z3MpCj4gPiA+ID4gPiArICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidWZsZW4gKz0gc2ct Pmxlbmd0aDsKPiA+ID4gPiA+ICAgICAgICAgICAgICAgfQo+ID4gPiA+ID4gICAgICAgfQo+ID4g PiA+ID4KPiA+ID4gPiA+IEBAIC0xMzc5LDYgKzE0MjksMTAgQEAgc3RhdGljIGludCB2aXJ0cXVl dWVfYWRkX2luZGlyZWN0X3BhY2tlZChzdHJ1Y3QgdnJpbmdfdmlydHF1ZXVlICp2cSwKPiA+ID4g PiA+ICAgICAgIHZxLT5wYWNrZWQuZGVzY19zdGF0ZVtpZF0ubGFzdCA9IGlkOwo+ID4gPiA+ID4g ICAgICAgdnEtPnBhY2tlZC5kZXNjX3N0YXRlW2lkXS5wcmVtYXBwZWQgPSBwcmVtYXBwZWQ7Cj4g PiA+ID4gPgo+ID4gPiA+ID4gKyAgICAgLyogU3RvcmUgaW4gYnVmZmVyIGxlbmd0aCBpZiBuZWNl c3NhcnkgKi8KPiA+ID4gPiA+ICsgICAgIGlmICh2cS0+cGFja2VkLmJ1ZmxlbikKPiA+ID4gPiA+ ICsgICAgICAgICAgICAgdnEtPnBhY2tlZC5idWZsZW5baWRdID0gYnVmbGVuOwo+ID4gPiA+ID4g Kwo+ID4gPiA+ID4gICAgICAgdnEtPm51bV9hZGRlZCArPSAxOwo+ID4gPiA+ID4KPiA+ID4gPiA+ ICAgICAgIHByX2RlYnVnKCJBZGRlZCBidWZmZXIgaGVhZCAlaSB0byAlcFxuIiwgaGVhZCwgdnEp Owo+ID4gPiA+ID4gQEAgLTE0MTYsNiArMTQ3MCw3IEBAIHN0YXRpYyBpbmxpbmUgaW50IHZpcnRx dWV1ZV9hZGRfcGFja2VkKHN0cnVjdCB2aXJ0cXVldWUgKl92cSwKPiA+ID4gPiA+ICAgICAgIF9f bGUxNiBoZWFkX2ZsYWdzLCBmbGFnczsKPiA+ID4gPiA+ICAgICAgIHUxNiBoZWFkLCBpZCwgcHJl diwgY3VyciwgYXZhaWxfdXNlZF9mbGFnczsKPiA+ID4gPiA+ICAgICAgIGludCBlcnI7Cj4gPiA+ ID4gPiArICAgICB1MzIgYnVmbGVuID0gMDsKPiA+ID4gPiA+Cj4gPiA+ID4gPiAgICAgICBTVEFS VF9VU0UodnEpOwo+ID4gPiA+ID4KPiA+ID4gPiA+IEBAIC0xNDk4LDYgKzE1NTMsOCBAQCBzdGF0 aWMgaW5saW5lIGludCB2aXJ0cXVldWVfYWRkX3BhY2tlZChzdHJ1Y3QgdmlydHF1ZXVlICpfdnEs Cj4gPiA+ID4gPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDEgPDwgVlJJ TkdfUEFDS0VEX0RFU0NfRl9BVkFJTCB8Cj4gPiA+ID4gPiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIDEgPDwgVlJJTkdfUEFDS0VEX0RFU0NfRl9VU0VEOwo+ID4gPiA+ID4g ICAgICAgICAgICAgICAgICAgICAgIH0KPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICBp ZiAobiA+PSBvdXRfc2dzKQo+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAg YnVmbGVuICs9IHNnLT5sZW5ndGg7Cj4gPiA+ID4gPiAgICAgICAgICAgICAgIH0KPiA+ID4gPiA+ ICAgICAgIH0KPiA+ID4gPiA+Cj4gPiA+ID4gPiBAQCAtMTUxOCw2ICsxNTc1LDEwIEBAIHN0YXRp YyBpbmxpbmUgaW50IHZpcnRxdWV1ZV9hZGRfcGFja2VkKHN0cnVjdCB2aXJ0cXVldWUgKl92cSwK PiA+ID4gPiA+ICAgICAgIHZxLT5wYWNrZWQuZGVzY19zdGF0ZVtpZF0ubGFzdCA9IHByZXY7Cj4g PiA+ID4gPiAgICAgICB2cS0+cGFja2VkLmRlc2Nfc3RhdGVbaWRdLnByZW1hcHBlZCA9IHByZW1h cHBlZDsKPiA+ID4gPiA+Cj4gPiA+ID4gPiArICAgICAvKiBTdG9yZSBpbiBidWZmZXIgbGVuZ3Ro IGlmIG5lY2Vzc2FyeSAqLwo+ID4gPiA+ID4gKyAgICAgaWYgKHZxLT5wYWNrZWQuYnVmbGVuKQo+ ID4gPiA+ID4gKyAgICAgICAgICAgICB2cS0+cGFja2VkLmJ1ZmxlbltpZF0gPSBidWZsZW47Cj4g PiA+ID4gPiArCj4gPiA+ID4gPiAgICAgICAvKgo+ID4gPiA+ID4gICAgICAgICogQSBkcml2ZXIg TVVTVCBOT1QgbWFrZSB0aGUgZmlyc3QgZGVzY3JpcHRvciBpbiB0aGUgbGlzdAo+ID4gPiA+ID4g ICAgICAgICogYXZhaWxhYmxlIGJlZm9yZSBhbGwgc3Vic2VxdWVudCBkZXNjcmlwdG9ycyBjb21w cmlzaW5nCj4gPiA+ID4gPiBAQCAtMTcxOCw2ICsxNzc5LDExIEBAIHN0YXRpYyB2b2lkICp2aXJ0 cXVldWVfZ2V0X2J1Zl9jdHhfcGFja2VkKHN0cnVjdCB2aXJ0cXVldWUgKl92cSwKPiA+ID4gPiA+ ICAgICAgICAgICAgICAgQkFEX1JJTkcodnEsICJpZCAldSBpcyBub3QgYSBoZWFkIVxuIiwgaWQp Owo+ID4gPiA+ID4gICAgICAgICAgICAgICByZXR1cm4gTlVMTDsKPiA+ID4gPiA+ICAgICAgIH0K PiA+ID4gPiA+ICsgICAgIGlmICh2cS0+cGFja2VkLmJ1ZmxlbiAmJiB1bmxpa2VseSgqbGVuID4g dnEtPnBhY2tlZC5idWZsZW5baWRdKSkgewo+ID4gPiA+ID4gKyAgICAgICAgICAgICBCQURfUklO Ryh2cSwgInVzZWQgbGVuICVkIGlzIGxhcmdlciB0aGFuIG1heCBpbiBidWZmZXIgbGVuICV1XG4i LAo+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAgICpsZW4sIHZxLT5wYWNrZWQuYnVmbGVu W2lkXSk7Cj4gPiA+ID4gPiArICAgICAgICAgICAgIHJldHVybiBOVUxMOwo+ID4gPiA+ID4gKyAg ICAgfQo+ID4gPiA+ID4KPiA+ID4gPiA+ICAgICAgIC8qIGRldGFjaF9idWZfcGFja2VkIGNsZWFy cyBkYXRhLCBzbyBncmFiIGl0IG5vdy4gKi8KPiA+ID4gPiA+ICAgICAgIHJldCA9IHZxLT5wYWNr ZWQuZGVzY19zdGF0ZVtpZF0uZGF0YTsKPiA+ID4gPiA+IEBAIC0xOTM3LDYgKzIwMDMsNyBAQCBz dGF0aWMgdm9pZCB2cmluZ19mcmVlX3BhY2tlZChzdHJ1Y3QgdnJpbmdfdmlydHF1ZXVlX3BhY2tl ZCAqdnJpbmdfcGFja2VkLAo+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IHZyaW5nX3BhY2tlZC0+ZGV2aWNlX2V2ZW50X2RtYV9hZGRyLAo+ID4gPiA+ID4gICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIGRtYV9kZXYpOwo+ID4gPiA+ID4KPiA+ID4gPiA+ICsgICAg IGtmcmVlKHZyaW5nX3BhY2tlZC0+YnVmbGVuKTsKPiA+ID4gPiA+ICAgICAgIGtmcmVlKHZyaW5n X3BhY2tlZC0+ZGVzY19zdGF0ZSk7Cj4gPiA+ID4gPiAgICAgICBrZnJlZSh2cmluZ19wYWNrZWQt PmRlc2NfZXh0cmEpOwo+ID4gPiA+ID4gIH0KPiA+ID4gPiA+IEBAIC0xOTg4LDYgKzIwNTUsMTQg QEAgc3RhdGljIGludCB2cmluZ19hbGxvY19xdWV1ZV9wYWNrZWQoc3RydWN0IHZyaW5nX3ZpcnRx dWV1ZV9wYWNrZWQgKnZyaW5nX3BhY2tlZCwKPiA+ID4gPiA+Cj4gPiA+ID4gPiAgICAgICB2cmlu Z19wYWNrZWQtPnZyaW5nLm51bSA9IG51bTsKPiA+ID4gPiA+Cj4gPiA+ID4gPiArICAgICBpZiAo dnJpbmdfbmVlZHNfdXNlZF92YWxpZGF0aW9uKHZkZXYpKSB7Cj4gPiA+ID4gPiArICAgICAgICAg ICAgIHZyaW5nX3BhY2tlZC0+YnVmbGVuID0KPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAg ICBrbWFsbG9jX2FycmF5KG51bSwgc2l6ZW9mKCp2cmluZ19wYWNrZWQtPmJ1ZmxlbiksCj4gPiA+ ID4gPiArICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHRlBfS0VSTkVMKTsKPiA+ ID4gPiA+ICsgICAgICAgICAgICAgaWYgKCF2cmluZ19wYWNrZWQtPmJ1ZmxlbikKPiA+ID4gPiA+ ICsgICAgICAgICAgICAgICAgICAgICBnb3RvIGVycjsKPiA+ID4gPiA+ICsgICAgIH0KPiA+ID4g PiA+ICsKPiA+ID4gPiA+ICAgICAgIHJldHVybiAwOwo+ID4gPiA+ID4KPiA+ID4gPiA+ICBlcnI6 Cj4gPiA+ID4gPiAtLQo+ID4gPiA+ID4gMi4yNS4xCj4gPiA+ID4KPiA+CgpfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpWaXJ0dWFsaXphdGlvbiBtYWlsaW5n IGxpc3QKVmlydHVhbGl6YXRpb25AbGlzdHMubGludXgtZm91bmRhdGlvbi5vcmcKaHR0cHM6Ly9s aXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vdmlydHVhbGl6YXRpb24= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A70B8C77B7C for ; Wed, 31 May 2023 05:51:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234261AbjEaFvm (ORCPT ); Wed, 31 May 2023 01:51:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229463AbjEaFvj (ORCPT ); Wed, 31 May 2023 01:51:39 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C31E5EE for ; Tue, 30 May 2023 22:50:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685512252; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PTDxJ83kzyYx04HzKK1NgQ0zjDzzvNa+l1xEh9ymVT4=; b=IEJAzVcXmoPhn49O7aWqd3/Ql+jK+suJZvVcVj4SexNn5O2GbwiK3Y7XjXkoS02aZadlJI wCkxx4FXk4YN9YYnPxFXe9Tiyi1s4v+khLpRzybe53LzLMYac0ntcOnCyCGMu+hwPqqHtG eE1CQhFrTG7vRDbK3CmhNoPvOMyrN54= Received: from mail-lf1-f70.google.com (mail-lf1-f70.google.com [209.85.167.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-149-FDjgM7uEMs2w6-j7doJgGw-1; Wed, 31 May 2023 01:50:51 -0400 X-MC-Unique: FDjgM7uEMs2w6-j7doJgGw-1 Received: by mail-lf1-f70.google.com with SMTP id 2adb3069b0e04-4ecb00906d0so3094093e87.1 for ; Tue, 30 May 2023 22:50:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685512249; x=1688104249; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PTDxJ83kzyYx04HzKK1NgQ0zjDzzvNa+l1xEh9ymVT4=; b=RvqeTCHQoFhyqHJqy8aE/xzDEAwnXvsWGj94zHN1/Ko3YhUnMleF9i9q4/uYD60lo7 zL1wsE8I/VUJYzsRbLuJYvkdaUK8T6bedSZC8EyHZKyMgjsr6shnFdtL2hJ53TWIvKWL LYw5ApU1lCgkz3Wum1mntXvPeHfCWtBKPdfgCERnurS6/b5bHGVaYHtDdBNcdl0a5ldr U6DQTTHYqmKXBUVlW37xiYAoadTrOiJqoQMLBgiUS2VYcnDZSnjPX0uXpKFcC2GAWjKY QxxCXEu20SBeyak3x7prl5RkYZro9hoGmlERkTt/q+EGXVX1Up+7x0wepv3c78msjCqH j2+g== X-Gm-Message-State: AC+VfDy5edZ4isG3+fS3yLWLSvkrpfcuEFrP/E5g22BHYjWgSKBdntlh JOrV+da0PU58XwRieaaJ7jH0KvVz5gjdcoJ9apaGe0GGobth4ds5xlsifatifZ1TrQng3g5ZnRg JEpSva6/u0mcmpZNRqNP0Ebwj X-Received: by 2002:ac2:5dcd:0:b0:4f3:afcc:e1c8 with SMTP id x13-20020ac25dcd000000b004f3afcce1c8mr1913948lfq.33.1685512249645; Tue, 30 May 2023 22:50:49 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6UDKIiU+EDqtEdwF604oqkk3QqYNYFWhDlbFb3cp5Z5pGpswQtFFpGxPrnrh+q9oXcFt4/0A== X-Received: by 2002:ac2:5dcd:0:b0:4f3:afcc:e1c8 with SMTP id x13-20020ac25dcd000000b004f3afcce1c8mr1913939lfq.33.1685512249189; Tue, 30 May 2023 22:50:49 -0700 (PDT) Received: from redhat.com ([176.12.143.106]) by smtp.gmail.com with ESMTPSA id z27-20020ac25dfb000000b004eb09820adbsm579635lfq.105.2023.05.30.22.50.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 May 2023 22:50:48 -0700 (PDT) Date: Wed, 31 May 2023 01:50:43 -0400 From: "Michael S. Tsirkin" To: Jason Wang Cc: xuanzhuo@linux.alibaba.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] virtio_ring: validate used buffer length Message-ID: <20230531014326-mutt-send-email-mst@kernel.org> References: <20230526063041.18359-1-jasowang@redhat.com> <20230528033037-mutt-send-email-mst@kernel.org> <20230529055729-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 31, 2023 at 09:05:00AM +0800, Jason Wang wrote: > On Mon, May 29, 2023 at 6:03 PM Michael S. Tsirkin wrote: > > > > On Mon, May 29, 2023 at 09:18:10AM +0800, Jason Wang wrote: > > > On Sun, May 28, 2023 at 3:57 PM Michael S. Tsirkin wrote: > > > > > > > > On Fri, May 26, 2023 at 02:30:41PM +0800, Jason Wang wrote: > > > > > This patch validate > > > > > > > > validates > > > > > > > > > the used buffer length provided by the device > > > > > before trying to use it. > > > > > > > > before returning it to caller > > > > > > > > > This is done by remembering the in buffer > > > > > length in a dedicated array during virtqueue_add(), then we can fail > > > > > the virtqueue_get_buf() when we find the device is trying to give us a > > > > > used buffer length which is greater than we stored before. > > > > > > > > than what we stored > > > > > > > > > > > > > > This validation is disable > > > > > > > > disabled > > > > > > > > > by default via module parameter to unbreak > > > > > some existing devices since some legacy devices are known to report > > > > > buggy used length. > > > > > > > > > > Signed-off-by: Jason Wang > > > > > > > > First I'm not merging this without more data about > > > > what is known to be broken and what is known to work well > > > > in the commit log. And how exactly do things work if used length > > > > is wrong? > > > > > > Assuming the device is malicious, it would be very hard to answer. > > > Auditing and fuzzing won't cover every case. Instead of trying to seek > > > the answer, we can simply make sure the used in buffer length is > > > validated then we know we're fine or not. > > > > To restate the question, you said above "some legacy devices are known > > to report buggy used length". If they report buggy length then how > > can things work? > > The validation is disabled for legacy device (as stated in the changelog): > > static bool vring_needs_used_validation(const struct virtio_device *vdev) > { > /* > * Several legacy devices are known to produce buggy used > * length. In order to let driver work, we won't validate used > * buffer length in this case. > */ > if (!virtio_has_feature(vdev, VIRTIO_F_VERSION_1)) > return false; > if (force_used_validation) > return true; > return false; > } > > This seems to be what we've agreed in last version: > > https://lore.kernel.org/all/CANLsYkxfhamUU0bb4j7y6N4_G9odKxLCjXxgXEx4SJ6_Kf+M2Q@mail.gmail.com/T/#m31f3b06f9032beec175c312dfa2532cb08b15c56 > > Thanks > I don't get it. You wrote: This validation is disable by default via module parameter to unbreak some existing devices since some legacy devices are known to report buggy used length. which devices? why do you need a module parameter? > > > > > > Second what's wrong with dma_desc_extra that we already maintain? > > > > Third motivation - it's part and parcel of the hardening effort yes? > > > > > > They are different. dma_desc_extra is for a descriptor ring, but this > > > is for a used ring. Technically we can go back to iterate on the > > > descriptor ring for a legal used in buffer length. But it will have > > > worse performance. > > > > I don't really understand. We already iterate when we unmap - > > all that is necessary is to subtract it from used length, if at > > the end of the process it is >0 then we know used length is too > > large. > > Yes, but it is the job that is done in the driver level not the virtio > core. What job? unmap is done in detach_buf_split and detach_buf_packed respectively. vring_desc_extra isn't even visible outside drivers/virtio/virtio_ring.c For drivers that do unmap at driver level - I guess they can do validation there too. > Validation in virtio core is still necessary since they're > working at different levels and it's hard to force the validation in > all drivers by codes. Last version introduces a > suppress_driver_validation to allow the driver to suppress the core > validation which seems not good, we need a way to force the > virtio_ring code to do validation before. Why do we? If driver validates length virtio_ring does not need to validate. If driver does not use length virtio_ring does not need to validate. core can provide this service for the gazillion non performance critical drivers that just want to keep things simple, but the 4-5 critical ones can do their own validation if they want to. > Or such stuff could be added > on top since the validation is by default anyway. > > Thanks > > > > > > > > I'd like to know the fate of VIRTIO_HARDEN_NOTIFICATION before > > > > we do more hardening. If it's irrevocably broken let's rip it out? > > > > > > So the plan is > > > > > > 1) finish used ring validation (this had been proposed, merged and > > > reverted before notification hardening) > > > 2) do notification hardening on top. > > > > > > So let's leave it as is and I will do a rework after we finalize the > > > used ring validation. > > > > > > Thanks > > > > > > > > > > > > > > > > --- > > > > > Changes since V4: > > > > > - drop the flat for driver to suppress the check > > > > > - validation is disabled by default > > > > > - don't do validation for legacy device > > > > > - rebase and support virtqueue resize > > > > > --- > > > > > drivers/virtio/virtio_ring.c | 75 ++++++++++++++++++++++++++++++++++++ > > > > > 1 file changed, 75 insertions(+) > > > > > > > > > > diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c > > > > > index 143f380baa1c..5b151605aaf8 100644 > > > > > --- a/drivers/virtio/virtio_ring.c > > > > > +++ b/drivers/virtio/virtio_ring.c > > > > > @@ -15,6 +15,9 @@ > > > > > #include > > > > > #include > > > > > > > > > > +static bool force_used_validation = false; > > > > > +module_param(force_used_validation, bool, 0444); > > > > > + > > > > > #ifdef DEBUG > > > > > /* For development, we want to crash whenever the ring is screwed. */ > > > > > #define BAD_RING(_vq, fmt, args...) \ > > > > > @@ -105,6 +108,9 @@ struct vring_virtqueue_split { > > > > > struct vring_desc_state_split *desc_state; > > > > > struct vring_desc_extra *desc_extra; > > > > > > > > > > + /* Maximum in buffer length, NULL means no used validation */ > > > > > + u32 *buflen; > > > > > + > > > > > /* DMA address and size information */ > > > > > dma_addr_t queue_dma_addr; > > > > > size_t queue_size_in_bytes; > > > > > @@ -145,6 +151,9 @@ struct vring_virtqueue_packed { > > > > > struct vring_desc_state_packed *desc_state; > > > > > struct vring_desc_extra *desc_extra; > > > > > > > > > > + /* Maximum in buffer length, NULL means no used validation */ > > > > > + u32 *buflen; > > > > > + > > > > > /* DMA address and size information */ > > > > > dma_addr_t ring_dma_addr; > > > > > dma_addr_t driver_event_dma_addr; > > > > > @@ -552,6 +561,7 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, > > > > > unsigned int i, n, avail, descs_used, prev, err_idx; > > > > > int head; > > > > > bool indirect; > > > > > + u32 buflen = 0; > > > > > > > > > > START_USE(vq); > > > > > > > > > > @@ -635,6 +645,7 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, > > > > > VRING_DESC_F_NEXT | > > > > > VRING_DESC_F_WRITE, > > > > > indirect); > > > > > + buflen += sg->length; > > > > > } > > > > > } > > > > > /* Last one doesn't continue. */ > > > > > @@ -675,6 +686,10 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, > > > > > else > > > > > vq->split.desc_state[head].indir_desc = ctx; > > > > > > > > > > + /* Store in buffer length if necessary */ > > > > > + if (vq->split.buflen) > > > > > + vq->split.buflen[head] = buflen; > > > > > + > > > > > /* Put entry in available array (but don't update avail->idx until they > > > > > * do sync). */ > > > > > avail = vq->split.avail_idx_shadow & (vq->split.vring.num - 1); > > > > > @@ -861,6 +876,11 @@ static void *virtqueue_get_buf_ctx_split(struct virtqueue *_vq, > > > > > BAD_RING(vq, "id %u is not a head!\n", i); > > > > > return NULL; > > > > > } > > > > > + if (vq->split.buflen && unlikely(*len > vq->split.buflen[i])) { > > > > > + BAD_RING(vq, "used len %d is larger than max in buffer len %u\n", > > > > > + *len, vq->split.buflen[i]); > > > > > + return NULL; > > > > > + } > > > > > > > > > > /* detach_buf_split clears data, so grab it now. */ > > > > > ret = vq->split.desc_state[i].data; > > > > > @@ -1085,10 +1105,25 @@ static void vring_free_split(struct vring_virtqueue_split *vring_split, > > > > > vring_split->queue_dma_addr, > > > > > dma_dev); > > > > > > > > > > + kfree(vring_split->buflen); > > > > > kfree(vring_split->desc_state); > > > > > kfree(vring_split->desc_extra); > > > > > } > > > > > > > > > > +static bool vring_needs_used_validation(const struct virtio_device *vdev) > > > > > +{ > > > > > + /* > > > > > + * Several legacy devices are known to produce buggy used > > > > > + * length. In order to let driver work, we won't validate used > > > > > + * buffer length in this case. > > > > > + */ > > > > > + if (!virtio_has_feature(vdev, VIRTIO_F_VERSION_1)) > > > > > + return false; > > > > > + if (force_used_validation) > > > > > + return true; > > > > > + return false; > > > > > +} > > > > > + > > > > > static int vring_alloc_queue_split(struct vring_virtqueue_split *vring_split, > > > > > struct virtio_device *vdev, > > > > > u32 num, > > > > > @@ -1137,7 +1172,19 @@ static int vring_alloc_queue_split(struct vring_virtqueue_split *vring_split, > > > > > vring_split->vring_align = vring_align; > > > > > vring_split->may_reduce_num = may_reduce_num; > > > > > > > > > > + if (vring_needs_used_validation(vdev)) { > > > > > + vring_split->buflen = > > > > > + kmalloc_array(num, sizeof(*vring_split->buflen), > > > > > + GFP_KERNEL); > > > > > + if (!vring_split->buflen) > > > > > + goto err_buflen; > > > > > + } > > > > > + > > > > > return 0; > > > > > + > > > > > +err_buflen: > > > > > + vring_free_split(vring_split, vdev, dma_dev); > > > > > + return -ENOMEM; > > > > > } > > > > > > > > > > static struct virtqueue *vring_create_virtqueue_split( > > > > > @@ -1297,6 +1344,7 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, > > > > > unsigned int i, n, err_idx; > > > > > u16 head, id; > > > > > dma_addr_t addr; > > > > > + u32 buflen = 0; > > > > > > > > > > head = vq->packed.next_avail_idx; > > > > > desc = alloc_indirect_packed(total_sg, gfp); > > > > > @@ -1325,6 +1373,8 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, > > > > > desc[i].addr = cpu_to_le64(addr); > > > > > desc[i].len = cpu_to_le32(sg->length); > > > > > i++; > > > > > + if (n >= out_sgs) > > > > > + buflen += sg->length; > > > > > } > > > > > } > > > > > > > > > > @@ -1379,6 +1429,10 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, > > > > > vq->packed.desc_state[id].last = id; > > > > > vq->packed.desc_state[id].premapped = premapped; > > > > > > > > > > + /* Store in buffer length if necessary */ > > > > > + if (vq->packed.buflen) > > > > > + vq->packed.buflen[id] = buflen; > > > > > + > > > > > vq->num_added += 1; > > > > > > > > > > pr_debug("Added buffer head %i to %p\n", head, vq); > > > > > @@ -1416,6 +1470,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, > > > > > __le16 head_flags, flags; > > > > > u16 head, id, prev, curr, avail_used_flags; > > > > > int err; > > > > > + u32 buflen = 0; > > > > > > > > > > START_USE(vq); > > > > > > > > > > @@ -1498,6 +1553,8 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, > > > > > 1 << VRING_PACKED_DESC_F_AVAIL | > > > > > 1 << VRING_PACKED_DESC_F_USED; > > > > > } > > > > > + if (n >= out_sgs) > > > > > + buflen += sg->length; > > > > > } > > > > > } > > > > > > > > > > @@ -1518,6 +1575,10 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, > > > > > vq->packed.desc_state[id].last = prev; > > > > > vq->packed.desc_state[id].premapped = premapped; > > > > > > > > > > + /* Store in buffer length if necessary */ > > > > > + if (vq->packed.buflen) > > > > > + vq->packed.buflen[id] = buflen; > > > > > + > > > > > /* > > > > > * A driver MUST NOT make the first descriptor in the list > > > > > * available before all subsequent descriptors comprising > > > > > @@ -1718,6 +1779,11 @@ static void *virtqueue_get_buf_ctx_packed(struct virtqueue *_vq, > > > > > BAD_RING(vq, "id %u is not a head!\n", id); > > > > > return NULL; > > > > > } > > > > > + if (vq->packed.buflen && unlikely(*len > vq->packed.buflen[id])) { > > > > > + BAD_RING(vq, "used len %d is larger than max in buffer len %u\n", > > > > > + *len, vq->packed.buflen[id]); > > > > > + return NULL; > > > > > + } > > > > > > > > > > /* detach_buf_packed clears data, so grab it now. */ > > > > > ret = vq->packed.desc_state[id].data; > > > > > @@ -1937,6 +2003,7 @@ static void vring_free_packed(struct vring_virtqueue_packed *vring_packed, > > > > > vring_packed->device_event_dma_addr, > > > > > dma_dev); > > > > > > > > > > + kfree(vring_packed->buflen); > > > > > kfree(vring_packed->desc_state); > > > > > kfree(vring_packed->desc_extra); > > > > > } > > > > > @@ -1988,6 +2055,14 @@ static int vring_alloc_queue_packed(struct vring_virtqueue_packed *vring_packed, > > > > > > > > > > vring_packed->vring.num = num; > > > > > > > > > > + if (vring_needs_used_validation(vdev)) { > > > > > + vring_packed->buflen = > > > > > + kmalloc_array(num, sizeof(*vring_packed->buflen), > > > > > + GFP_KERNEL); > > > > > + if (!vring_packed->buflen) > > > > > + goto err; > > > > > + } > > > > > + > > > > > return 0; > > > > > > > > > > err: > > > > > -- > > > > > 2.25.1 > > > > > >