From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CC63BC77B7C for ; Wed, 31 May 2023 09:56:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 434EF82010; Wed, 31 May 2023 09:56:05 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 434EF82010 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ihVyHXet X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P7vT7Yrgk0_6; Wed, 31 May 2023 09:56:03 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 1C9B481FF9; Wed, 31 May 2023 09:56:03 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1C9B481FF9 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E489CC007C; Wed, 31 May 2023 09:56:02 +0000 (UTC) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 45D17C0037 for ; Wed, 31 May 2023 09:56:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1348882003 for ; Wed, 31 May 2023 09:56:01 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1348882003 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDma278coFWe for ; Wed, 31 May 2023 09:55:59 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6F88381FF9 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 6F88381FF9 for ; Wed, 31 May 2023 09:55:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685526958; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ihlNxIXsutSDvXqdiT+VeO6UCrKuuli8OOxEkvO+vVg=; b=ihVyHXet1Dgm3yzHKGuyTvLhZLVr9gfgdUIJ6L49hLXR8xfxyooOQxGigOLZkFumfxEk3f G6kWgK7TO+XHfYGBCZDaJIHX1M+l4cf2dh43QVvsI3ZoP8VCqpWN1v1nXgsnkJ1wNBpbSs NEPVukTsvJmhs2PG2ibU4cJ3aJr41m8= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-347-VCOwncRtNF2ivD1urCZWYQ-1; Wed, 31 May 2023 05:55:57 -0400 X-MC-Unique: VCOwncRtNF2ivD1urCZWYQ-1 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-3f5ec8aac77so34794225e9.3 for ; Wed, 31 May 2023 02:55:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685526955; x=1688118955; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ihlNxIXsutSDvXqdiT+VeO6UCrKuuli8OOxEkvO+vVg=; b=a95neehtcWnCk3zUAMqJK9KuLvwHMm8TseNtDggKfn6ow4x39T6lULRFPzCFfgI0Pq UkMXwkMXjYYHqOQaKCwnqq92JzhuW2NXRZxb4dpHUvyEvZxHHyIwU7LxqHGz2EP+Ac07 VTKYyBY7mtSxXLCwtjAdZk4ahW7/gJXIA/Jodx/jpVSprIDu/0j17O2S1ngSJ3LADSKJ bVqraXoVg7cJqGqM4jG/qkur1emJBYsO8DmOoEgQqIKXXxwG02frrHLo2N2KX/hy85+a 2drRPgHXsQ4aVjyof5bwNS1vPv3+AkYTGYBsADG4a7HkYYuOz0g7hQj1mbCBSi08hfie FFYw== X-Gm-Message-State: AC+VfDwA+Oo/ksdVjdLRPYNlLiwdcdyDyALmX2Ajh7uyx5/mhW3YeA2/ jWimyuERwZR4aWoz2CH5c6Nx67RYAp0nEFMEGOj2p5q+zT3NSBOSVp3eL8qSIS69znqCbjy6ryg 6obLjJ6J25q61PsxlW1nU8MbBPFEtLCDJwfl03QJWgQ== X-Received: by 2002:a7b:cd15:0:b0:3f4:e7c2:607d with SMTP id f21-20020a7bcd15000000b003f4e7c2607dmr3663674wmj.13.1685526954857; Wed, 31 May 2023 02:55:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5t5NUwVUwofwmhFK5NTHSXwEbBjPq6b6d2xBqZ5iOPrRrh3a3hHL1DsGouzxbHx143cmMoOA== X-Received: by 2002:a7b:cd15:0:b0:3f4:e7c2:607d with SMTP id f21-20020a7bcd15000000b003f4e7c2607dmr3663660wmj.13.1685526954445; Wed, 31 May 2023 02:55:54 -0700 (PDT) Received: from redhat.com ([2.52.11.69]) by smtp.gmail.com with ESMTPSA id e21-20020a05600c219500b003f604ca479esm23817619wme.3.2023.05.31.02.55.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 May 2023 02:55:53 -0700 (PDT) Date: Wed, 31 May 2023 05:55:50 -0400 From: "Michael S. Tsirkin" To: Jason Wang Subject: Re: [PATCH] virtio_ring: validate used buffer length Message-ID: <20230531053001-mutt-send-email-mst@kernel.org> References: <20230526063041.18359-1-jasowang@redhat.com> <20230528033037-mutt-send-email-mst@kernel.org> <20230529055729-mutt-send-email-mst@kernel.org> <20230531014326-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Cc: xuanzhuo@linux.alibaba.com, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org X-BeenThere: virtualization@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux virtualization List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" T24gV2VkLCBNYXkgMzEsIDIwMjMgYXQgMDM6MzY6NTFQTSArMDgwMCwgSmFzb24gV2FuZyB3cm90 ZToKPiBPbiBXZWQsIE1heSAzMSwgMjAyMyBhdCAxOjUw4oCvUE0gTWljaGFlbCBTLiBUc2lya2lu IDxtc3RAcmVkaGF0LmNvbT4gd3JvdGU6Cj4gPgo+ID4gT24gV2VkLCBNYXkgMzEsIDIwMjMgYXQg MDk6MDU6MDBBTSArMDgwMCwgSmFzb24gV2FuZyB3cm90ZToKPiA+ID4gT24gTW9uLCBNYXkgMjks IDIwMjMgYXQgNjowM+KAr1BNIE1pY2hhZWwgUy4gVHNpcmtpbiA8bXN0QHJlZGhhdC5jb20+IHdy b3RlOgo+ID4gPiA+Cj4gPiA+ID4gT24gTW9uLCBNYXkgMjksIDIwMjMgYXQgMDk6MTg6MTBBTSAr MDgwMCwgSmFzb24gV2FuZyB3cm90ZToKPiA+ID4gPiA+IE9uIFN1biwgTWF5IDI4LCAyMDIzIGF0 IDM6NTfigK9QTSBNaWNoYWVsIFMuIFRzaXJraW4gPG1zdEByZWRoYXQuY29tPiB3cm90ZToKPiA+ ID4gPiA+ID4KPiA+ID4gPiA+ID4gT24gRnJpLCBNYXkgMjYsIDIwMjMgYXQgMDI6MzA6NDFQTSAr MDgwMCwgSmFzb24gV2FuZyB3cm90ZToKPiA+ID4gPiA+ID4gPiBUaGlzIHBhdGNoIHZhbGlkYXRl Cj4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+IHZhbGlkYXRlcwo+ID4gPiA+ID4gPgo+ID4gPiA+ID4g PiA+IHRoZSB1c2VkIGJ1ZmZlciBsZW5ndGggcHJvdmlkZWQgYnkgdGhlIGRldmljZQo+ID4gPiA+ ID4gPiA+IGJlZm9yZSB0cnlpbmcgdG8gdXNlIGl0Lgo+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiBi ZWZvcmUgcmV0dXJuaW5nIGl0IHRvIGNhbGxlcgo+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+IFRo aXMgaXMgZG9uZSBieSByZW1lbWJlcmluZyB0aGUgaW4gYnVmZmVyCj4gPiA+ID4gPiA+ID4gbGVu Z3RoIGluIGEgZGVkaWNhdGVkIGFycmF5IGR1cmluZyB2aXJ0cXVldWVfYWRkKCksIHRoZW4gd2Ug Y2FuIGZhaWwKPiA+ID4gPiA+ID4gPiB0aGUgdmlydHF1ZXVlX2dldF9idWYoKSB3aGVuIHdlIGZp bmQgdGhlIGRldmljZSBpcyB0cnlpbmcgdG8gZ2l2ZSB1cyBhCj4gPiA+ID4gPiA+ID4gdXNlZCBi dWZmZXIgbGVuZ3RoIHdoaWNoIGlzIGdyZWF0ZXIgdGhhbiB3ZSBzdG9yZWQgYmVmb3JlLgo+ID4g PiA+ID4gPgo+ID4gPiA+ID4gPiB0aGFuIHdoYXQgd2Ugc3RvcmVkCj4gPiA+ID4gPiA+Cj4gPiA+ ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiBUaGlzIHZhbGlkYXRpb24gaXMgZGlzYWJsZQo+ID4gPiA+ ID4gPgo+ID4gPiA+ID4gPiBkaXNhYmxlZAo+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+IGJ5IGRl ZmF1bHQgdmlhIG1vZHVsZSBwYXJhbWV0ZXIgdG8gdW5icmVhawo+ID4gPiA+ID4gPiA+IHNvbWUg ZXhpc3RpbmcgZGV2aWNlcyBzaW5jZSBzb21lIGxlZ2FjeSBkZXZpY2VzIGFyZSBrbm93biB0byBy ZXBvcnQKPiA+ID4gPiA+ID4gPiBidWdneSB1c2VkIGxlbmd0aC4KPiA+ID4gPiA+ID4gPgo+ID4g PiA+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IEphc29uIFdhbmcgPGphc293YW5nQHJlZGhhdC5jb20+ Cj4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+IEZpcnN0IEknbSBub3QgbWVyZ2luZyB0aGlzIHdpdGhv dXQgbW9yZSBkYXRhIGFib3V0Cj4gPiA+ID4gPiA+IHdoYXQgaXMga25vd24gdG8gYmUgYnJva2Vu IGFuZCB3aGF0IGlzIGtub3duIHRvIHdvcmsgd2VsbAo+ID4gPiA+ID4gPiBpbiB0aGUgY29tbWl0 IGxvZy4gQW5kIGhvdyBleGFjdGx5IGRvIHRoaW5ncyB3b3JrIGlmIHVzZWQgbGVuZ3RoCj4gPiA+ ID4gPiA+IGlzIHdyb25nPwo+ID4gPiA+ID4KPiA+ID4gPiA+IEFzc3VtaW5nIHRoZSBkZXZpY2Ug aXMgbWFsaWNpb3VzLCBpdCB3b3VsZCBiZSB2ZXJ5IGhhcmQgdG8gYW5zd2VyLgo+ID4gPiA+ID4g QXVkaXRpbmcgYW5kIGZ1enppbmcgd29uJ3QgY292ZXIgZXZlcnkgY2FzZS4gSW5zdGVhZCBvZiB0 cnlpbmcgdG8gc2Vlawo+ID4gPiA+ID4gdGhlIGFuc3dlciwgd2UgY2FuIHNpbXBseSBtYWtlIHN1 cmUgdGhlIHVzZWQgaW4gYnVmZmVyIGxlbmd0aCBpcwo+ID4gPiA+ID4gdmFsaWRhdGVkIHRoZW4g d2Uga25vdyB3ZSdyZSBmaW5lIG9yIG5vdC4KPiA+ID4gPgo+ID4gPiA+IFRvIHJlc3RhdGUgdGhl IHF1ZXN0aW9uLCB5b3Ugc2FpZCBhYm92ZSAic29tZSBsZWdhY3kgZGV2aWNlcyBhcmUga25vd24K PiA+ID4gPiB0byByZXBvcnQgYnVnZ3kgdXNlZCBsZW5ndGgiLiBJZiB0aGV5IHJlcG9ydCBidWdn eSBsZW5ndGggdGhlbiBob3cKPiA+ID4gPiBjYW4gdGhpbmdzIHdvcms/Cj4gPiA+Cj4gPiA+IFRo ZSB2YWxpZGF0aW9uIGlzIGRpc2FibGVkIGZvciBsZWdhY3kgZGV2aWNlIChhcyBzdGF0ZWQgaW4g dGhlIGNoYW5nZWxvZyk6Cj4gPiA+Cj4gPiA+IHN0YXRpYyBib29sIHZyaW5nX25lZWRzX3VzZWRf dmFsaWRhdGlvbihjb25zdCBzdHJ1Y3QgdmlydGlvX2RldmljZSAqdmRldikKPiA+ID4gewo+ID4g PiAgICAgICAgIC8qCj4gPiA+ICAgICAgICAgICogU2V2ZXJhbCBsZWdhY3kgZGV2aWNlcyBhcmUg a25vd24gdG8gcHJvZHVjZSBidWdneSB1c2VkCj4gPiA+ICAgICAgICAgICogbGVuZ3RoLiBJbiBv cmRlciB0byBsZXQgZHJpdmVyIHdvcmssIHdlIHdvbid0IHZhbGlkYXRlIHVzZWQKPiA+ID4gICAg ICAgICAgKiBidWZmZXIgbGVuZ3RoIGluIHRoaXMgY2FzZS4KPiA+ID4gICAgICAgICAgKi8KPiA+ ID4gICAgICAgICBpZiAoIXZpcnRpb19oYXNfZmVhdHVyZSh2ZGV2LCBWSVJUSU9fRl9WRVJTSU9O XzEpKQo+ID4gPiAgICAgICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwo+ID4gPiAgICAgICAgIGlm IChmb3JjZV91c2VkX3ZhbGlkYXRpb24pCj4gPiA+ICAgICAgICAgICAgICAgICByZXR1cm4gdHJ1 ZTsKPiA+ID4gICAgICAgICByZXR1cm4gZmFsc2U7Cj4gPiA+IH0KPiA+ID4KPiA+ID4gVGhpcyBz ZWVtcyB0byBiZSB3aGF0IHdlJ3ZlIGFncmVlZCBpbiBsYXN0IHZlcnNpb246Cj4gPiA+Cj4gPiA+ IGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2FsbC9DQU5Mc1lreGZoYW1VVTBiYjRqN3k2TjRfRzlv ZEt4TENqWHhnWEV4NFNKNl9LZitNMlFAbWFpbC5nbWFpbC5jb20vVC8jbTMxZjNiMDZmOTAzMmJl ZWMxNzVjMzEyZGZhMjUzMmNiMDhiMTVjNTYKPiA+ID4KPiA+ID4gVGhhbmtzCj4gPiA+Cj4gPgo+ ID4gSSBkb24ndCBnZXQgaXQuIFlvdSB3cm90ZToKPiA+Cj4gPiAgICAgICAgIFRoaXMgdmFsaWRh dGlvbiBpcyBkaXNhYmxlCj4gPiAgICAgICAgIGJ5IGRlZmF1bHQgdmlhIG1vZHVsZSBwYXJhbWV0 ZXIgdG8gdW5icmVhawo+ID4gICAgICAgICBzb21lIGV4aXN0aW5nIGRldmljZXMgc2luY2Ugc29t ZSBsZWdhY3kgZGV2aWNlcyBhcmUga25vd24gdG8gcmVwb3J0Cj4gPiAgICAgICAgIGJ1Z2d5IHVz ZWQgbGVuZ3RoLgo+ID4KPiA+IHdoaWNoIGRldmljZXM/Cj4gCj4gbGVnYWN5IHJwbXNnIGFuZCB2 c29jayBkZXZpY2UgKGJlZm9yZSA0OWQ4YzVmZmFkMDcpIGF0IGxlYXN0Lgo+IAo+ID4gd2h5IGRv IHlvdSBuZWVkIGEgbW9kdWxlIHBhcmFtZXRlcj8KPiAKPiBJZiB3ZSBlbmFibGUgaXQgdW5jb25k aXRpb25hbGx5IGZvciBtb2Rlcm4gZGV2aWNlcywgaXQgbWF5IGJyZWFrIHNvbWUKPiBidWdneSBt b2RlbiBkZXZpY2UgKHZzb2NrIHdpdGhvdXQgYSBmaXggYXMgYW4gZXhhbXBsZSkuCgpQcmVzdW1h Ymx5IHRoaXMgaGFwcGVucyBiZWNhdXNlIHZzb2NrIGRvZXMgbm90IGhhdmUgYW55IGluYnVmIGF0 IGFsbApzbyBpdCBpZ25vcmVzIHRoZSBsZW5ndGguCldlIGhhZCB0aGUgc2FtZSB3aXRoIHZpcnRp byBuZXQgdHggYSBsb25nIHRpbWUgYWdvLgoKTXkgc3VnZ2VzdGlvbiBpcyB0aGVuIG5vdCB0byBm YWlsIC0ganVzdCBjYXAgbGVuZ3RoIGF0IHRoZSBkbWEgbGVuZ3RoCnNldCBieSBkcml2ZXIuIEFu b3RoZXIgaWRlYSBpcyB0aGF0IGlmIGRtYSBsZW4gaXMgMCB0aGVuIGRvbid0IHZhbGlkYXRlCmF0 IGFsbCAtIGRyaXZlciB0aGF0IGRpZCBub3QgYWRkIGFueSBpbmJ1ZnMgaXMgbm90IGdvaW5nIHRv IGxvb2sKYXQgbGVuZ3RoLgoKQWxsb3dpbmcgcGFzc2luZyBOVUxMIGFzIGxlbmd0aCBhbmQgc2tp cHBpbmcgdmFsaWRhdGlvbgppZiBsZW4gPSAwIG1pZ2h0IGFsc28gYmUgYSBnb29kIGlkZWEuCgoK PiA+Cj4gPgo+ID4gPiA+Cj4gPiA+ID4gPiA+IFNlY29uZCB3aGF0J3Mgd3Jvbmcgd2l0aCBkbWFf ZGVzY19leHRyYSB0aGF0IHdlIGFscmVhZHkgbWFpbnRhaW4/Cj4gPiA+ID4gPiA+IFRoaXJkIG1v dGl2YXRpb24gLSBpdCdzIHBhcnQgYW5kIHBhcmNlbCBvZiB0aGUgaGFyZGVuaW5nIGVmZm9ydCB5 ZXM/Cj4gPiA+ID4gPgo+ID4gPiA+ID4gVGhleSBhcmUgZGlmZmVyZW50LiBkbWFfZGVzY19leHRy YSBpcyBmb3IgYSBkZXNjcmlwdG9yIHJpbmcsIGJ1dCB0aGlzCj4gPiA+ID4gPiBpcyBmb3IgYSB1 c2VkIHJpbmcuIFRlY2huaWNhbGx5IHdlIGNhbiBnbyBiYWNrIHRvIGl0ZXJhdGUgb24gdGhlCj4g PiA+ID4gPiBkZXNjcmlwdG9yIHJpbmcgZm9yIGEgbGVnYWwgdXNlZCBpbiBidWZmZXIgbGVuZ3Ro LiBCdXQgaXQgd2lsbCBoYXZlCj4gPiA+ID4gPiB3b3JzZSBwZXJmb3JtYW5jZS4KPiA+ID4gPgo+ ID4gPiA+IEkgZG9uJ3QgcmVhbGx5IHVuZGVyc3RhbmQuIFdlIGFscmVhZHkgaXRlcmF0ZSB3aGVu IHdlIHVubWFwIC0KPiA+ID4gPiBhbGwgdGhhdCBpcyBuZWNlc3NhcnkgaXMgdG8gc3VidHJhY3Qg aXQgZnJvbSB1c2VkIGxlbmd0aCwgaWYgYXQKPiA+ID4gPiB0aGUgZW5kIG9mIHRoZSBwcm9jZXNz IGl0IGlzID4wIHRoZW4gd2Uga25vdyB1c2VkIGxlbmd0aCBpcyB0b28KPiA+ID4gPiBsYXJnZS4K PiA+ID4KPiA+ID4gWWVzLCBidXQgaXQgaXMgdGhlIGpvYiB0aGF0IGlzIGRvbmUgaW4gdGhlIGRy aXZlciBsZXZlbCBub3QgdGhlIHZpcnRpbwo+ID4gPiBjb3JlLgo+ID4KPiA+IFdoYXQgam9iPwo+ IAo+IEkgbWVhbnQgdGhlIGRyaXZlciBjYW4gZG8gdGhlIHZhbGlkYXRpb24gc2luY2UgaXQgaGFz IHRoZSBrbm93bGVkZ2Ugb2YKPiB0aGUgYnVmZmVyIGxlbmd0aCBpZiBpdCB3YW50cy4KCkl0IGRv ZXMgbm90IG5lY2Vzc2FyaWx5IGhhdmUgaXQgLSBub3QgaWYgdmlydGlvIGlzIGRvaW5nIERNQQpt YXBwaW5nLgoKCj4gPiB1bm1hcCBpcyBkb25lIGluIGRldGFjaF9idWZfc3BsaXQgYW5kIGRldGFj aF9idWZfcGFja2VkIHJlc3BlY3RpdmVseS4KPiA+IHZyaW5nX2Rlc2NfZXh0cmEgaXNuJ3QgZXZl biB2aXNpYmxlIG91dHNpZGUgZHJpdmVycy92aXJ0aW8vdmlydGlvX3JpbmcuYwo+IAo+IGRlc2Nf ZXh0cmEgZG9lc24ndCBjb250YWluIGJ1ZmZlciBsZW5ndGggZm9yIHRoZSBjYXNlIG9mIGluZGly ZWN0Cj4gZGVzY3JpcHRvcnMuIFNvIHdlIG5lZWQgdG8gaXRlcmF0ZSBpbiB0aGUgZGVzY3JpcHRv cnMgd2hlbiBpdCBsb29rcwo+IGV4cGVuc2l2ZSBpZiB3ZSBkb24ndCBuZWVkIHVubWFwLgo+IAo+ IFRoYW5rcwoKV2VsbCBhdCB0aGUgbW9tZW50IHdlIG9ubHkgZG9uJ3QgdW5tYXAgaWYgRE1BIEFQ SSBpcyBieXBhc3NlZC4gIEFuZCB0aGVuCndlIGRvbid0IG5lZWQgdG8gdmFsaWRhdGUgbGVuZ3Ro IGVpdGhlci4gRnVuZGFtZW50YWxseSwgd2l0aG91dApBQ0NFU1NfUExBVEZPUk0gZGV2aWNlIGlz IHRydXN0ZWQuCgoKPiA+Cj4gPiBGb3IgZHJpdmVycyB0aGF0IGRvIHVubWFwIGF0IGRyaXZlciBs ZXZlbCAtIEkgZ3Vlc3MgdGhleSBjYW4gZG8KPiA+IHZhbGlkYXRpb24gdGhlcmUgdG9vLgo+ID4K PiA+ID4gVmFsaWRhdGlvbiBpbiB2aXJ0aW8gY29yZSBpcyBzdGlsbCBuZWNlc3Nhcnkgc2luY2Ug dGhleSdyZQo+ID4gPiB3b3JraW5nIGF0IGRpZmZlcmVudCBsZXZlbHMgYW5kIGl0J3MgaGFyZCB0 byBmb3JjZSB0aGUgdmFsaWRhdGlvbiBpbgo+ID4gPiBhbGwgZHJpdmVycyBieSBjb2Rlcy4gTGFz dCB2ZXJzaW9uIGludHJvZHVjZXMgYQo+ID4gPiBzdXBwcmVzc19kcml2ZXJfdmFsaWRhdGlvbiB0 byBhbGxvdyB0aGUgZHJpdmVyIHRvIHN1cHByZXNzIHRoZSBjb3JlCj4gPiA+IHZhbGlkYXRpb24g d2hpY2ggc2VlbXMgbm90IGdvb2QsIHdlIG5lZWQgYSB3YXkgdG8gZm9yY2UgdGhlCj4gPiA+IHZp cnRpb19yaW5nIGNvZGUgdG8gZG8gdmFsaWRhdGlvbiBiZWZvcmUuCj4gPgo+ID4gV2h5IGRvIHdl PyBJZiBkcml2ZXIgdmFsaWRhdGVzIGxlbmd0aCB2aXJ0aW9fcmluZyBkb2VzIG5vdCBuZWVkIHRv Cj4gPiB2YWxpZGF0ZS4gIElmIGRyaXZlciBkb2VzIG5vdCB1c2UgbGVuZ3RoIHZpcnRpb19yaW5n IGRvZXMgbm90IG5lZWQgdG8KPiA+IHZhbGlkYXRlLiBjb3JlIGNhbiBwcm92aWRlIHRoaXMgc2Vy dmljZSBmb3IgdGhlIGdhemlsbGlvbiBub24KPiA+IHBlcmZvcm1hbmNlIGNyaXRpY2FsIGRyaXZl cnMgdGhhdCBqdXN0IHdhbnQgdG8ga2VlcCB0aGluZ3Mgc2ltcGxlLAo+ID4gYnV0IHRoZSA0LTUg Y3JpdGljYWwgb25lcyBjYW4gZG8gdGhlaXIgb3duIHZhbGlkYXRpb24gaWYgdGhleSB3YW50IHRv Lgo+ID4KPiA+ID4gT3Igc3VjaCBzdHVmZiBjb3VsZCBiZSBhZGRlZAo+ID4gPiBvbiB0b3Agc2lu Y2UgdGhlIHZhbGlkYXRpb24gaXMgYnkgZGVmYXVsdCBhbnl3YXkuCj4gPiA+Cj4gPiA+IFRoYW5r cwo+ID4KPiA+Cj4gPgo+ID4gPiA+Cj4gPiA+ID4KPiA+ID4gPiA+ID4gSSdkIGxpa2UgdG8ga25v dyB0aGUgZmF0ZSBvZiBWSVJUSU9fSEFSREVOX05PVElGSUNBVElPTiBiZWZvcmUKPiA+ID4gPiA+ ID4gd2UgZG8gbW9yZSBoYXJkZW5pbmcuIElmIGl0J3MgaXJyZXZvY2FibHkgYnJva2VuIGxldCdz IHJpcCBpdCBvdXQ/Cj4gPiA+ID4gPgo+ID4gPiA+ID4gU28gdGhlIHBsYW4gaXMKPiA+ID4gPiA+ Cj4gPiA+ID4gPiAxKSBmaW5pc2ggdXNlZCByaW5nIHZhbGlkYXRpb24gKHRoaXMgaGFkIGJlZW4g cHJvcG9zZWQsIG1lcmdlZCBhbmQKPiA+ID4gPiA+IHJldmVydGVkIGJlZm9yZSBub3RpZmljYXRp b24gaGFyZGVuaW5nKQo+ID4gPiA+ID4gMikgZG8gbm90aWZpY2F0aW9uIGhhcmRlbmluZyBvbiB0 b3AuCj4gPiA+ID4gPgo+ID4gPiA+ID4gU28gbGV0J3MgbGVhdmUgaXQgYXMgaXMgYW5kIEkgd2ls bCBkbyBhIHJld29yayBhZnRlciB3ZSBmaW5hbGl6ZSB0aGUKPiA+ID4gPiA+IHVzZWQgcmluZyB2 YWxpZGF0aW9uLgo+ID4gPiA+ID4KPiA+ID4gPiA+IFRoYW5rcwo+ID4gPiA+ID4KPiA+ID4gPiA+ ID4KPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiAtLS0KPiA+ID4gPiA+ID4gPiBDaGFuZ2VzIHNp bmNlIFY0Ogo+ID4gPiA+ID4gPiA+IC0gZHJvcCB0aGUgZmxhdCBmb3IgZHJpdmVyIHRvIHN1cHBy ZXNzIHRoZSBjaGVjawo+ID4gPiA+ID4gPiA+IC0gdmFsaWRhdGlvbiBpcyBkaXNhYmxlZCBieSBk ZWZhdWx0Cj4gPiA+ID4gPiA+ID4gLSBkb24ndCBkbyB2YWxpZGF0aW9uIGZvciBsZWdhY3kgZGV2 aWNlCj4gPiA+ID4gPiA+ID4gLSByZWJhc2UgYW5kIHN1cHBvcnQgdmlydHF1ZXVlIHJlc2l6ZQo+ ID4gPiA+ID4gPiA+IC0tLQo+ID4gPiA+ID4gPiA+ICBkcml2ZXJzL3ZpcnRpby92aXJ0aW9fcmlu Zy5jIHwgNzUgKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrCj4gPiA+ID4gPiA+ ID4gIDEgZmlsZSBjaGFuZ2VkLCA3NSBpbnNlcnRpb25zKCspCj4gPiA+ID4gPiA+ID4KPiA+ID4g PiA+ID4gPiBkaWZmIC0tZ2l0IGEvZHJpdmVycy92aXJ0aW8vdmlydGlvX3JpbmcuYyBiL2RyaXZl cnMvdmlydGlvL3ZpcnRpb19yaW5nLmMKPiA+ID4gPiA+ID4gPiBpbmRleCAxNDNmMzgwYmFhMWMu LjViMTUxNjA1YWFmOCAxMDA2NDQKPiA+ID4gPiA+ID4gPiAtLS0gYS9kcml2ZXJzL3ZpcnRpby92 aXJ0aW9fcmluZy5jCj4gPiA+ID4gPiA+ID4gKysrIGIvZHJpdmVycy92aXJ0aW8vdmlydGlvX3Jp bmcuYwo+ID4gPiA+ID4gPiA+IEBAIC0xNSw2ICsxNSw5IEBACj4gPiA+ID4gPiA+ID4gICNpbmNs dWRlIDxsaW51eC9zcGlubG9jay5oPgo+ID4gPiA+ID4gPiA+ICAjaW5jbHVkZSA8eGVuL3hlbi5o Pgo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gK3N0YXRpYyBib29sIGZvcmNlX3VzZWRfdmFs aWRhdGlvbiA9IGZhbHNlOwo+ID4gPiA+ID4gPiA+ICttb2R1bGVfcGFyYW0oZm9yY2VfdXNlZF92 YWxpZGF0aW9uLCBib29sLCAwNDQ0KTsKPiA+ID4gPiA+ID4gPiArCj4gPiA+ID4gPiA+ID4gICNp ZmRlZiBERUJVRwo+ID4gPiA+ID4gPiA+ICAvKiBGb3IgZGV2ZWxvcG1lbnQsIHdlIHdhbnQgdG8g Y3Jhc2ggd2hlbmV2ZXIgdGhlIHJpbmcgaXMgc2NyZXdlZC4gKi8KPiA+ID4gPiA+ID4gPiAgI2Rl ZmluZSBCQURfUklORyhfdnEsIGZtdCwgYXJncy4uLikgICAgICAgICAgICAgICAgICAgICAgICAg IFwKPiA+ID4gPiA+ID4gPiBAQCAtMTA1LDYgKzEwOCw5IEBAIHN0cnVjdCB2cmluZ192aXJ0cXVl dWVfc3BsaXQgewo+ID4gPiA+ID4gPiA+ICAgICAgIHN0cnVjdCB2cmluZ19kZXNjX3N0YXRlX3Nw bGl0ICpkZXNjX3N0YXRlOwo+ID4gPiA+ID4gPiA+ICAgICAgIHN0cnVjdCB2cmluZ19kZXNjX2V4 dHJhICpkZXNjX2V4dHJhOwo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gKyAgICAgLyogTWF4 aW11bSBpbiBidWZmZXIgbGVuZ3RoLCBOVUxMIG1lYW5zIG5vIHVzZWQgdmFsaWRhdGlvbiAqLwo+ ID4gPiA+ID4gPiA+ICsgICAgIHUzMiAqYnVmbGVuOwo+ID4gPiA+ID4gPiA+ICsKPiA+ID4gPiA+ ID4gPiAgICAgICAvKiBETUEgYWRkcmVzcyBhbmQgc2l6ZSBpbmZvcm1hdGlvbiAqLwo+ID4gPiA+ ID4gPiA+ICAgICAgIGRtYV9hZGRyX3QgcXVldWVfZG1hX2FkZHI7Cj4gPiA+ID4gPiA+ID4gICAg ICAgc2l6ZV90IHF1ZXVlX3NpemVfaW5fYnl0ZXM7Cj4gPiA+ID4gPiA+ID4gQEAgLTE0NSw2ICsx NTEsOSBAQCBzdHJ1Y3QgdnJpbmdfdmlydHF1ZXVlX3BhY2tlZCB7Cj4gPiA+ID4gPiA+ID4gICAg ICAgc3RydWN0IHZyaW5nX2Rlc2Nfc3RhdGVfcGFja2VkICpkZXNjX3N0YXRlOwo+ID4gPiA+ID4g PiA+ICAgICAgIHN0cnVjdCB2cmluZ19kZXNjX2V4dHJhICpkZXNjX2V4dHJhOwo+ID4gPiA+ID4g PiA+Cj4gPiA+ID4gPiA+ID4gKyAgICAgLyogTWF4aW11bSBpbiBidWZmZXIgbGVuZ3RoLCBOVUxM IG1lYW5zIG5vIHVzZWQgdmFsaWRhdGlvbiAqLwo+ID4gPiA+ID4gPiA+ICsgICAgIHUzMiAqYnVm bGVuOwo+ID4gPiA+ID4gPiA+ICsKPiA+ID4gPiA+ID4gPiAgICAgICAvKiBETUEgYWRkcmVzcyBh bmQgc2l6ZSBpbmZvcm1hdGlvbiAqLwo+ID4gPiA+ID4gPiA+ICAgICAgIGRtYV9hZGRyX3Qgcmlu Z19kbWFfYWRkcjsKPiA+ID4gPiA+ID4gPiAgICAgICBkbWFfYWRkcl90IGRyaXZlcl9ldmVudF9k bWFfYWRkcjsKPiA+ID4gPiA+ID4gPiBAQCAtNTUyLDYgKzU2MSw3IEBAIHN0YXRpYyBpbmxpbmUg aW50IHZpcnRxdWV1ZV9hZGRfc3BsaXQoc3RydWN0IHZpcnRxdWV1ZSAqX3ZxLAo+ID4gPiA+ID4g PiA+ICAgICAgIHVuc2lnbmVkIGludCBpLCBuLCBhdmFpbCwgZGVzY3NfdXNlZCwgcHJldiwgZXJy X2lkeDsKPiA+ID4gPiA+ID4gPiAgICAgICBpbnQgaGVhZDsKPiA+ID4gPiA+ID4gPiAgICAgICBi b29sIGluZGlyZWN0Owo+ID4gPiA+ID4gPiA+ICsgICAgIHUzMiBidWZsZW4gPSAwOwo+ID4gPiA+ ID4gPiA+Cj4gPiA+ID4gPiA+ID4gICAgICAgU1RBUlRfVVNFKHZxKTsKPiA+ID4gPiA+ID4gPgo+ ID4gPiA+ID4gPiA+IEBAIC02MzUsNiArNjQ1LDcgQEAgc3RhdGljIGlubGluZSBpbnQgdmlydHF1 ZXVlX2FkZF9zcGxpdChzdHJ1Y3QgdmlydHF1ZXVlICpfdnEsCj4gPiA+ID4gPiA+ID4gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVlJJTkdfREVTQ19G X05FWFQgfAo+ID4gPiA+ID4gPiA+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFZSSU5HX0RFU0NfRl9XUklURSwKPiA+ID4gPiA+ID4gPiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbmRpcmVjdCk7Cj4g PiA+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAgIGJ1ZmxlbiArPSBzZy0+bGVuZ3RoOwo+ ID4gPiA+ID4gPiA+ICAgICAgICAgICAgICAgfQo+ID4gPiA+ID4gPiA+ICAgICAgIH0KPiA+ID4g PiA+ID4gPiAgICAgICAvKiBMYXN0IG9uZSBkb2Vzbid0IGNvbnRpbnVlLiAqLwo+ID4gPiA+ID4g PiA+IEBAIC02NzUsNiArNjg2LDEwIEBAIHN0YXRpYyBpbmxpbmUgaW50IHZpcnRxdWV1ZV9hZGRf c3BsaXQoc3RydWN0IHZpcnRxdWV1ZSAqX3ZxLAo+ID4gPiA+ID4gPiA+ICAgICAgIGVsc2UKPiA+ ID4gPiA+ID4gPiAgICAgICAgICAgICAgIHZxLT5zcGxpdC5kZXNjX3N0YXRlW2hlYWRdLmluZGly X2Rlc2MgPSBjdHg7Cj4gPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiArICAgICAvKiBTdG9yZSBp biBidWZmZXIgbGVuZ3RoIGlmIG5lY2Vzc2FyeSAqLwo+ID4gPiA+ID4gPiA+ICsgICAgIGlmICh2 cS0+c3BsaXQuYnVmbGVuKQo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgdnEtPnNwbGl0LmJ1 ZmxlbltoZWFkXSA9IGJ1ZmxlbjsKPiA+ID4gPiA+ID4gPiArCj4gPiA+ID4gPiA+ID4gICAgICAg LyogUHV0IGVudHJ5IGluIGF2YWlsYWJsZSBhcnJheSAoYnV0IGRvbid0IHVwZGF0ZSBhdmFpbC0+ aWR4IHVudGlsIHRoZXkKPiA+ID4gPiA+ID4gPiAgICAgICAgKiBkbyBzeW5jKS4gKi8KPiA+ID4g PiA+ID4gPiAgICAgICBhdmFpbCA9IHZxLT5zcGxpdC5hdmFpbF9pZHhfc2hhZG93ICYgKHZxLT5z cGxpdC52cmluZy5udW0gLSAxKTsKPiA+ID4gPiA+ID4gPiBAQCAtODYxLDYgKzg3NiwxMSBAQCBz dGF0aWMgdm9pZCAqdmlydHF1ZXVlX2dldF9idWZfY3R4X3NwbGl0KHN0cnVjdCB2aXJ0cXVldWUg Kl92cSwKPiA+ID4gPiA+ID4gPiAgICAgICAgICAgICAgIEJBRF9SSU5HKHZxLCAiaWQgJXUgaXMg bm90IGEgaGVhZCFcbiIsIGkpOwo+ID4gPiA+ID4gPiA+ICAgICAgICAgICAgICAgcmV0dXJuIE5V TEw7Cj4gPiA+ID4gPiA+ID4gICAgICAgfQo+ID4gPiA+ID4gPiA+ICsgICAgIGlmICh2cS0+c3Bs aXQuYnVmbGVuICYmIHVubGlrZWx5KCpsZW4gPiB2cS0+c3BsaXQuYnVmbGVuW2ldKSkgewo+ID4g PiA+ID4gPiA+ICsgICAgICAgICAgICAgQkFEX1JJTkcodnEsICJ1c2VkIGxlbiAlZCBpcyBsYXJn ZXIgdGhhbiBtYXggaW4gYnVmZmVyIGxlbiAldVxuIiwKPiA+ID4gPiA+ID4gPiArICAgICAgICAg ICAgICAgICAgICAgKmxlbiwgdnEtPnNwbGl0LmJ1ZmxlbltpXSk7Cj4gPiA+ID4gPiA+ID4gKyAg ICAgICAgICAgICByZXR1cm4gTlVMTDsKPiA+ID4gPiA+ID4gPiArICAgICB9Cj4gPiA+ID4gPiA+ ID4KPiA+ID4gPiA+ID4gPiAgICAgICAvKiBkZXRhY2hfYnVmX3NwbGl0IGNsZWFycyBkYXRhLCBz byBncmFiIGl0IG5vdy4gKi8KPiA+ID4gPiA+ID4gPiAgICAgICByZXQgPSB2cS0+c3BsaXQuZGVz Y19zdGF0ZVtpXS5kYXRhOwo+ID4gPiA+ID4gPiA+IEBAIC0xMDg1LDEwICsxMTA1LDI1IEBAIHN0 YXRpYyB2b2lkIHZyaW5nX2ZyZWVfc3BsaXQoc3RydWN0IHZyaW5nX3ZpcnRxdWV1ZV9zcGxpdCAq dnJpbmdfc3BsaXQsCj4gPiA+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgICB2cmluZ19z cGxpdC0+cXVldWVfZG1hX2FkZHIsCj4gPiA+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAg ICBkbWFfZGV2KTsKPiA+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+ICsgICAgIGtmcmVlKHZyaW5n X3NwbGl0LT5idWZsZW4pOwo+ID4gPiA+ID4gPiA+ICAgICAgIGtmcmVlKHZyaW5nX3NwbGl0LT5k ZXNjX3N0YXRlKTsKPiA+ID4gPiA+ID4gPiAgICAgICBrZnJlZSh2cmluZ19zcGxpdC0+ZGVzY19l eHRyYSk7Cj4gPiA+ID4gPiA+ID4gIH0KPiA+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+ICtzdGF0 aWMgYm9vbCB2cmluZ19uZWVkc191c2VkX3ZhbGlkYXRpb24oY29uc3Qgc3RydWN0IHZpcnRpb19k ZXZpY2UgKnZkZXYpCj4gPiA+ID4gPiA+ID4gK3sKPiA+ID4gPiA+ID4gPiArICAgICAvKgo+ID4g PiA+ID4gPiA+ICsgICAgICAqIFNldmVyYWwgbGVnYWN5IGRldmljZXMgYXJlIGtub3duIHRvIHBy b2R1Y2UgYnVnZ3kgdXNlZAo+ID4gPiA+ID4gPiA+ICsgICAgICAqIGxlbmd0aC4gSW4gb3JkZXIg dG8gbGV0IGRyaXZlciB3b3JrLCB3ZSB3b24ndCB2YWxpZGF0ZSB1c2VkCj4gPiA+ID4gPiA+ID4g KyAgICAgICogYnVmZmVyIGxlbmd0aCBpbiB0aGlzIGNhc2UuCj4gPiA+ID4gPiA+ID4gKyAgICAg ICovCj4gPiA+ID4gPiA+ID4gKyAgICAgaWYgKCF2aXJ0aW9faGFzX2ZlYXR1cmUodmRldiwgVklS VElPX0ZfVkVSU0lPTl8xKSkKPiA+ID4gPiA+ID4gPiArICAgICAgICAgICAgIHJldHVybiBmYWxz ZTsKPiA+ID4gPiA+ID4gPiArICAgICBpZiAoZm9yY2VfdXNlZF92YWxpZGF0aW9uKQo+ID4gPiA+ ID4gPiA+ICsgICAgICAgICAgICAgcmV0dXJuIHRydWU7Cj4gPiA+ID4gPiA+ID4gKyAgICAgcmV0 dXJuIGZhbHNlOwo+ID4gPiA+ID4gPiA+ICt9Cj4gPiA+ID4gPiA+ID4gKwo+ID4gPiA+ID4gPiA+ ICBzdGF0aWMgaW50IHZyaW5nX2FsbG9jX3F1ZXVlX3NwbGl0KHN0cnVjdCB2cmluZ192aXJ0cXVl dWVfc3BsaXQgKnZyaW5nX3NwbGl0LAo+ID4gPiA+ID4gPiA+ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIHN0cnVjdCB2aXJ0aW9fZGV2aWNlICp2ZGV2LAo+ID4gPiA+ID4gPiA+ICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHUzMiBudW0sCj4gPiA+ID4gPiA+ID4gQEAg LTExMzcsNyArMTE3MiwxOSBAQCBzdGF0aWMgaW50IHZyaW5nX2FsbG9jX3F1ZXVlX3NwbGl0KHN0 cnVjdCB2cmluZ192aXJ0cXVldWVfc3BsaXQgKnZyaW5nX3NwbGl0LAo+ID4gPiA+ID4gPiA+ICAg ICAgIHZyaW5nX3NwbGl0LT52cmluZ19hbGlnbiA9IHZyaW5nX2FsaWduOwo+ID4gPiA+ID4gPiA+ ICAgICAgIHZyaW5nX3NwbGl0LT5tYXlfcmVkdWNlX251bSA9IG1heV9yZWR1Y2VfbnVtOwo+ID4g PiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gKyAgICAgaWYgKHZyaW5nX25lZWRzX3VzZWRfdmFsaWRh dGlvbih2ZGV2KSkgewo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgdnJpbmdfc3BsaXQtPmJ1 ZmxlbiA9Cj4gPiA+ID4gPiA+ID4gKyAgICAgICAgICAgICAgICAgICAgIGttYWxsb2NfYXJyYXko bnVtLCBzaXplb2YoKnZyaW5nX3NwbGl0LT5idWZsZW4pLAo+ID4gPiA+ID4gPiA+ICsgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdGUF9LRVJORUwpOwo+ID4gPiA+ID4gPiA+ICsg ICAgICAgICAgICAgaWYgKCF2cmluZ19zcGxpdC0+YnVmbGVuKQo+ID4gPiA+ID4gPiA+ICsgICAg ICAgICAgICAgICAgICAgICBnb3RvIGVycl9idWZsZW47Cj4gPiA+ID4gPiA+ID4gKyAgICAgfQo+ ID4gPiA+ID4gPiA+ICsKPiA+ID4gPiA+ID4gPiAgICAgICByZXR1cm4gMDsKPiA+ID4gPiA+ID4g PiArCj4gPiA+ID4gPiA+ID4gK2Vycl9idWZsZW46Cj4gPiA+ID4gPiA+ID4gKyAgICAgdnJpbmdf ZnJlZV9zcGxpdCh2cmluZ19zcGxpdCwgdmRldiwgZG1hX2Rldik7Cj4gPiA+ID4gPiA+ID4gKyAg ICAgcmV0dXJuIC1FTk9NRU07Cj4gPiA+ID4gPiA+ID4gIH0KPiA+ID4gPiA+ID4gPgo+ID4gPiA+ ID4gPiA+ICBzdGF0aWMgc3RydWN0IHZpcnRxdWV1ZSAqdnJpbmdfY3JlYXRlX3ZpcnRxdWV1ZV9z cGxpdCgKPiA+ID4gPiA+ID4gPiBAQCAtMTI5Nyw2ICsxMzQ0LDcgQEAgc3RhdGljIGludCB2aXJ0 cXVldWVfYWRkX2luZGlyZWN0X3BhY2tlZChzdHJ1Y3QgdnJpbmdfdmlydHF1ZXVlICp2cSwKPiA+ ID4gPiA+ID4gPiAgICAgICB1bnNpZ25lZCBpbnQgaSwgbiwgZXJyX2lkeDsKPiA+ID4gPiA+ID4g PiAgICAgICB1MTYgaGVhZCwgaWQ7Cj4gPiA+ID4gPiA+ID4gICAgICAgZG1hX2FkZHJfdCBhZGRy Owo+ID4gPiA+ID4gPiA+ICsgICAgIHUzMiBidWZsZW4gPSAwOwo+ID4gPiA+ID4gPiA+Cj4gPiA+ ID4gPiA+ID4gICAgICAgaGVhZCA9IHZxLT5wYWNrZWQubmV4dF9hdmFpbF9pZHg7Cj4gPiA+ID4g PiA+ID4gICAgICAgZGVzYyA9IGFsbG9jX2luZGlyZWN0X3BhY2tlZCh0b3RhbF9zZywgZ2ZwKTsK PiA+ID4gPiA+ID4gPiBAQCAtMTMyNSw2ICsxMzczLDggQEAgc3RhdGljIGludCB2aXJ0cXVldWVf YWRkX2luZGlyZWN0X3BhY2tlZChzdHJ1Y3QgdnJpbmdfdmlydHF1ZXVlICp2cSwKPiA+ID4gPiA+ ID4gPiAgICAgICAgICAgICAgICAgICAgICAgZGVzY1tpXS5hZGRyID0gY3B1X3RvX2xlNjQoYWRk cik7Cj4gPiA+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgIGRlc2NbaV0ubGVuID0gY3B1 X3RvX2xlMzIoc2ctPmxlbmd0aCk7Cj4gPiA+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAg IGkrKzsKPiA+ID4gPiA+ID4gPiArICAgICAgICAgICAgICAgICAgICAgaWYgKG4gPj0gb3V0X3Nn cykKPiA+ID4gPiA+ID4gPiArICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidWZsZW4gKz0g c2ctPmxlbmd0aDsKPiA+ID4gPiA+ID4gPiAgICAgICAgICAgICAgIH0KPiA+ID4gPiA+ID4gPiAg ICAgICB9Cj4gPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiBAQCAtMTM3OSw2ICsxNDI5LDEwIEBA IHN0YXRpYyBpbnQgdmlydHF1ZXVlX2FkZF9pbmRpcmVjdF9wYWNrZWQoc3RydWN0IHZyaW5nX3Zp cnRxdWV1ZSAqdnEsCj4gPiA+ID4gPiA+ID4gICAgICAgdnEtPnBhY2tlZC5kZXNjX3N0YXRlW2lk XS5sYXN0ID0gaWQ7Cj4gPiA+ID4gPiA+ID4gICAgICAgdnEtPnBhY2tlZC5kZXNjX3N0YXRlW2lk XS5wcmVtYXBwZWQgPSBwcmVtYXBwZWQ7Cj4gPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiArICAg ICAvKiBTdG9yZSBpbiBidWZmZXIgbGVuZ3RoIGlmIG5lY2Vzc2FyeSAqLwo+ID4gPiA+ID4gPiA+ ICsgICAgIGlmICh2cS0+cGFja2VkLmJ1ZmxlbikKPiA+ID4gPiA+ID4gPiArICAgICAgICAgICAg IHZxLT5wYWNrZWQuYnVmbGVuW2lkXSA9IGJ1ZmxlbjsKPiA+ID4gPiA+ID4gPiArCj4gPiA+ID4g PiA+ID4gICAgICAgdnEtPm51bV9hZGRlZCArPSAxOwo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ ID4gICAgICAgcHJfZGVidWcoIkFkZGVkIGJ1ZmZlciBoZWFkICVpIHRvICVwXG4iLCBoZWFkLCB2 cSk7Cj4gPiA+ID4gPiA+ID4gQEAgLTE0MTYsNiArMTQ3MCw3IEBAIHN0YXRpYyBpbmxpbmUgaW50 IHZpcnRxdWV1ZV9hZGRfcGFja2VkKHN0cnVjdCB2aXJ0cXVldWUgKl92cSwKPiA+ID4gPiA+ID4g PiAgICAgICBfX2xlMTYgaGVhZF9mbGFncywgZmxhZ3M7Cj4gPiA+ID4gPiA+ID4gICAgICAgdTE2 IGhlYWQsIGlkLCBwcmV2LCBjdXJyLCBhdmFpbF91c2VkX2ZsYWdzOwo+ID4gPiA+ID4gPiA+ICAg ICAgIGludCBlcnI7Cj4gPiA+ID4gPiA+ID4gKyAgICAgdTMyIGJ1ZmxlbiA9IDA7Cj4gPiA+ID4g PiA+ID4KPiA+ID4gPiA+ID4gPiAgICAgICBTVEFSVF9VU0UodnEpOwo+ID4gPiA+ID4gPiA+Cj4g PiA+ID4gPiA+ID4gQEAgLTE0OTgsNiArMTU1Myw4IEBAIHN0YXRpYyBpbmxpbmUgaW50IHZpcnRx dWV1ZV9hZGRfcGFja2VkKHN0cnVjdCB2aXJ0cXVldWUgKl92cSwKPiA+ID4gPiA+ID4gPiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDEgPDwgVlJJTkdfUEFDS0VEX0RFU0Nf Rl9BVkFJTCB8Cj4gPiA+ID4gPiA+ID4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAxIDw8IFZSSU5HX1BBQ0tFRF9ERVNDX0ZfVVNFRDsKPiA+ID4gPiA+ID4gPiAgICAgICAg ICAgICAgICAgICAgICAgfQo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICBpZiAo biA+PSBvdXRfc2dzKQo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICAgICAgICAg IGJ1ZmxlbiArPSBzZy0+bGVuZ3RoOwo+ID4gPiA+ID4gPiA+ICAgICAgICAgICAgICAgfQo+ID4g PiA+ID4gPiA+ICAgICAgIH0KPiA+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+IEBAIC0xNTE4LDYg KzE1NzUsMTAgQEAgc3RhdGljIGlubGluZSBpbnQgdmlydHF1ZXVlX2FkZF9wYWNrZWQoc3RydWN0 IHZpcnRxdWV1ZSAqX3ZxLAo+ID4gPiA+ID4gPiA+ICAgICAgIHZxLT5wYWNrZWQuZGVzY19zdGF0 ZVtpZF0ubGFzdCA9IHByZXY7Cj4gPiA+ID4gPiA+ID4gICAgICAgdnEtPnBhY2tlZC5kZXNjX3N0 YXRlW2lkXS5wcmVtYXBwZWQgPSBwcmVtYXBwZWQ7Cj4gPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4g PiArICAgICAvKiBTdG9yZSBpbiBidWZmZXIgbGVuZ3RoIGlmIG5lY2Vzc2FyeSAqLwo+ID4gPiA+ ID4gPiA+ICsgICAgIGlmICh2cS0+cGFja2VkLmJ1ZmxlbikKPiA+ID4gPiA+ID4gPiArICAgICAg ICAgICAgIHZxLT5wYWNrZWQuYnVmbGVuW2lkXSA9IGJ1ZmxlbjsKPiA+ID4gPiA+ID4gPiArCj4g PiA+ID4gPiA+ID4gICAgICAgLyoKPiA+ID4gPiA+ID4gPiAgICAgICAgKiBBIGRyaXZlciBNVVNU IE5PVCBtYWtlIHRoZSBmaXJzdCBkZXNjcmlwdG9yIGluIHRoZSBsaXN0Cj4gPiA+ID4gPiA+ID4g ICAgICAgICogYXZhaWxhYmxlIGJlZm9yZSBhbGwgc3Vic2VxdWVudCBkZXNjcmlwdG9ycyBjb21w cmlzaW5nCj4gPiA+ID4gPiA+ID4gQEAgLTE3MTgsNiArMTc3OSwxMSBAQCBzdGF0aWMgdm9pZCAq dmlydHF1ZXVlX2dldF9idWZfY3R4X3BhY2tlZChzdHJ1Y3QgdmlydHF1ZXVlICpfdnEsCj4gPiA+ ID4gPiA+ID4gICAgICAgICAgICAgICBCQURfUklORyh2cSwgImlkICV1IGlzIG5vdCBhIGhlYWQh XG4iLCBpZCk7Cj4gPiA+ID4gPiA+ID4gICAgICAgICAgICAgICByZXR1cm4gTlVMTDsKPiA+ID4g PiA+ID4gPiAgICAgICB9Cj4gPiA+ID4gPiA+ID4gKyAgICAgaWYgKHZxLT5wYWNrZWQuYnVmbGVu ICYmIHVubGlrZWx5KCpsZW4gPiB2cS0+cGFja2VkLmJ1ZmxlbltpZF0pKSB7Cj4gPiA+ID4gPiA+ ID4gKyAgICAgICAgICAgICBCQURfUklORyh2cSwgInVzZWQgbGVuICVkIGlzIGxhcmdlciB0aGFu IG1heCBpbiBidWZmZXIgbGVuICV1XG4iLAo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAg ICAgICAqbGVuLCB2cS0+cGFja2VkLmJ1ZmxlbltpZF0pOwo+ID4gPiA+ID4gPiA+ICsgICAgICAg ICAgICAgcmV0dXJuIE5VTEw7Cj4gPiA+ID4gPiA+ID4gKyAgICAgfQo+ID4gPiA+ID4gPiA+Cj4g PiA+ID4gPiA+ID4gICAgICAgLyogZGV0YWNoX2J1Zl9wYWNrZWQgY2xlYXJzIGRhdGEsIHNvIGdy YWIgaXQgbm93LiAqLwo+ID4gPiA+ID4gPiA+ICAgICAgIHJldCA9IHZxLT5wYWNrZWQuZGVzY19z dGF0ZVtpZF0uZGF0YTsKPiA+ID4gPiA+ID4gPiBAQCAtMTkzNyw2ICsyMDAzLDcgQEAgc3RhdGlj IHZvaWQgdnJpbmdfZnJlZV9wYWNrZWQoc3RydWN0IHZyaW5nX3ZpcnRxdWV1ZV9wYWNrZWQgKnZy aW5nX3BhY2tlZCwKPiA+ID4gPiA+ID4gPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg dnJpbmdfcGFja2VkLT5kZXZpY2VfZXZlbnRfZG1hX2FkZHIsCj4gPiA+ID4gPiA+ID4gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIGRtYV9kZXYpOwo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4g PiA+ID4gKyAgICAga2ZyZWUodnJpbmdfcGFja2VkLT5idWZsZW4pOwo+ID4gPiA+ID4gPiA+ICAg ICAgIGtmcmVlKHZyaW5nX3BhY2tlZC0+ZGVzY19zdGF0ZSk7Cj4gPiA+ID4gPiA+ID4gICAgICAg a2ZyZWUodnJpbmdfcGFja2VkLT5kZXNjX2V4dHJhKTsKPiA+ID4gPiA+ID4gPiAgfQo+ID4gPiA+ ID4gPiA+IEBAIC0xOTg4LDYgKzIwNTUsMTQgQEAgc3RhdGljIGludCB2cmluZ19hbGxvY19xdWV1 ZV9wYWNrZWQoc3RydWN0IHZyaW5nX3ZpcnRxdWV1ZV9wYWNrZWQgKnZyaW5nX3BhY2tlZCwKPiA+ ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+ICAgICAgIHZyaW5nX3BhY2tlZC0+dnJpbmcubnVtID0g bnVtOwo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gKyAgICAgaWYgKHZyaW5nX25lZWRzX3Vz ZWRfdmFsaWRhdGlvbih2ZGV2KSkgewo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgdnJpbmdf cGFja2VkLT5idWZsZW4gPQo+ID4gPiA+ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICBrbWFs bG9jX2FycmF5KG51bSwgc2l6ZW9mKCp2cmluZ19wYWNrZWQtPmJ1ZmxlbiksCj4gPiA+ID4gPiA+ ID4gKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR0ZQX0tFUk5FTCk7Cj4gPiA+ ID4gPiA+ID4gKyAgICAgICAgICAgICBpZiAoIXZyaW5nX3BhY2tlZC0+YnVmbGVuKQo+ID4gPiA+ ID4gPiA+ICsgICAgICAgICAgICAgICAgICAgICBnb3RvIGVycjsKPiA+ID4gPiA+ID4gPiArICAg ICB9Cj4gPiA+ID4gPiA+ID4gKwo+ID4gPiA+ID4gPiA+ICAgICAgIHJldHVybiAwOwo+ID4gPiA+ ID4gPiA+Cj4gPiA+ID4gPiA+ID4gIGVycjoKPiA+ID4gPiA+ID4gPiAtLQo+ID4gPiA+ID4gPiA+ IDIuMjUuMQo+ID4gPiA+ID4gPgo+ID4gPiA+Cj4gPgoKX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KVmlydHVhbGl6YXRpb24gbWFpbGluZyBsaXN0ClZpcnR1 YWxpemF0aW9uQGxpc3RzLmxpbnV4LWZvdW5kYXRpb24ub3JnCmh0dHBzOi8vbGlzdHMubGludXhm b3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3ZpcnR1YWxpemF0aW9u From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6DF1EC77B73 for ; Wed, 31 May 2023 09:57:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235670AbjEaJ5O (ORCPT ); Wed, 31 May 2023 05:57:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51556 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235537AbjEaJ5K (ORCPT ); Wed, 31 May 2023 05:57:10 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E8E7E2 for ; Wed, 31 May 2023 02:56:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685526957; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ihlNxIXsutSDvXqdiT+VeO6UCrKuuli8OOxEkvO+vVg=; b=VoeM7aV0EJB7xnGUfrHChKuUREDci5yDVQ5hzhvOzopsbK0TfWTD4n6Fso/tF6yc5i6e2+ ULsGQZUT8h0xfTyEfOAlyNpu3AxTbbvN2qrjDpQV9SSFq35g3mCKFYVLCKbw3K3GcE+pIs FzlIvpnGW+VpELTLY0DqXmlRYXHn0TQ= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-548-gWCb1JR8O_mRjeGQsg68fw-1; Wed, 31 May 2023 05:55:56 -0400 X-MC-Unique: gWCb1JR8O_mRjeGQsg68fw-1 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-3f518f2900eso34825415e9.2 for ; Wed, 31 May 2023 02:55:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685526955; x=1688118955; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ihlNxIXsutSDvXqdiT+VeO6UCrKuuli8OOxEkvO+vVg=; b=hlYN7ta++8mwdIVjIf3tnn8Ulva8fmrkX3mlElPwEnkK7JGpkSGftA/nXXVRpmgNX2 oaFjD2/MaraAbOkItMnOeg0ekqDl0dcj2Zz3RpBDR7ZrIkGaWZqCPUYyb3YXeGJI+vTg 0z8bNe6l78StdkjhLWC3yu3Cx+m2jsSYotcnXtThFc7evrt8H045K25F/C1d3oIiIR6g RFDaaEHcmx60gqj5ezNgWHJIi0NYKuTf+4OAgeqFWMZ4jmp17RCoRUBSMOIVdwfaAHL7 eENDRjtkD9gHv6USpcvydNKs4bw+kl+Z1etODf7WGX2Jng6BuZXVK/+dF3ilxxtEXPUJ T3yQ== X-Gm-Message-State: AC+VfDzo0od4hAtH3o2pvausbOnWhseulwgFP5XJPnNLmFZ0dy4jfY7f 4mvw+NlPamUII4nfWlho/1aDellT3vav8/z4C7EDqWxYHdQKs2x4EuBOa6518NS1rHF1UDAmI26 IUWUVrlAtChImGT6Gbhhqp2nSMDrfCvPL X-Received: by 2002:a7b:cd15:0:b0:3f4:e7c2:607d with SMTP id f21-20020a7bcd15000000b003f4e7c2607dmr3663673wmj.13.1685526954857; Wed, 31 May 2023 02:55:54 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5t5NUwVUwofwmhFK5NTHSXwEbBjPq6b6d2xBqZ5iOPrRrh3a3hHL1DsGouzxbHx143cmMoOA== X-Received: by 2002:a7b:cd15:0:b0:3f4:e7c2:607d with SMTP id f21-20020a7bcd15000000b003f4e7c2607dmr3663660wmj.13.1685526954445; Wed, 31 May 2023 02:55:54 -0700 (PDT) Received: from redhat.com ([2.52.11.69]) by smtp.gmail.com with ESMTPSA id e21-20020a05600c219500b003f604ca479esm23817619wme.3.2023.05.31.02.55.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 May 2023 02:55:53 -0700 (PDT) Date: Wed, 31 May 2023 05:55:50 -0400 From: "Michael S. Tsirkin" To: Jason Wang Cc: xuanzhuo@linux.alibaba.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] virtio_ring: validate used buffer length Message-ID: <20230531053001-mutt-send-email-mst@kernel.org> References: <20230526063041.18359-1-jasowang@redhat.com> <20230528033037-mutt-send-email-mst@kernel.org> <20230529055729-mutt-send-email-mst@kernel.org> <20230531014326-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 31, 2023 at 03:36:51PM +0800, Jason Wang wrote: > On Wed, May 31, 2023 at 1:50 PM Michael S. Tsirkin wrote: > > > > On Wed, May 31, 2023 at 09:05:00AM +0800, Jason Wang wrote: > > > On Mon, May 29, 2023 at 6:03 PM Michael S. Tsirkin wrote: > > > > > > > > On Mon, May 29, 2023 at 09:18:10AM +0800, Jason Wang wrote: > > > > > On Sun, May 28, 2023 at 3:57 PM Michael S. Tsirkin wrote: > > > > > > > > > > > > On Fri, May 26, 2023 at 02:30:41PM +0800, Jason Wang wrote: > > > > > > > This patch validate > > > > > > > > > > > > validates > > > > > > > > > > > > > the used buffer length provided by the device > > > > > > > before trying to use it. > > > > > > > > > > > > before returning it to caller > > > > > > > > > > > > > This is done by remembering the in buffer > > > > > > > length in a dedicated array during virtqueue_add(), then we can fail > > > > > > > the virtqueue_get_buf() when we find the device is trying to give us a > > > > > > > used buffer length which is greater than we stored before. > > > > > > > > > > > > than what we stored > > > > > > > > > > > > > > > > > > > > This validation is disable > > > > > > > > > > > > disabled > > > > > > > > > > > > > by default via module parameter to unbreak > > > > > > > some existing devices since some legacy devices are known to report > > > > > > > buggy used length. > > > > > > > > > > > > > > Signed-off-by: Jason Wang > > > > > > > > > > > > First I'm not merging this without more data about > > > > > > what is known to be broken and what is known to work well > > > > > > in the commit log. And how exactly do things work if used length > > > > > > is wrong? > > > > > > > > > > Assuming the device is malicious, it would be very hard to answer. > > > > > Auditing and fuzzing won't cover every case. Instead of trying to seek > > > > > the answer, we can simply make sure the used in buffer length is > > > > > validated then we know we're fine or not. > > > > > > > > To restate the question, you said above "some legacy devices are known > > > > to report buggy used length". If they report buggy length then how > > > > can things work? > > > > > > The validation is disabled for legacy device (as stated in the changelog): > > > > > > static bool vring_needs_used_validation(const struct virtio_device *vdev) > > > { > > > /* > > > * Several legacy devices are known to produce buggy used > > > * length. In order to let driver work, we won't validate used > > > * buffer length in this case. > > > */ > > > if (!virtio_has_feature(vdev, VIRTIO_F_VERSION_1)) > > > return false; > > > if (force_used_validation) > > > return true; > > > return false; > > > } > > > > > > This seems to be what we've agreed in last version: > > > > > > https://lore.kernel.org/all/CANLsYkxfhamUU0bb4j7y6N4_G9odKxLCjXxgXEx4SJ6_Kf+M2Q@mail.gmail.com/T/#m31f3b06f9032beec175c312dfa2532cb08b15c56 > > > > > > Thanks > > > > > > > I don't get it. You wrote: > > > > This validation is disable > > by default via module parameter to unbreak > > some existing devices since some legacy devices are known to report > > buggy used length. > > > > which devices? > > legacy rpmsg and vsock device (before 49d8c5ffad07) at least. > > > why do you need a module parameter? > > If we enable it unconditionally for modern devices, it may break some > buggy moden device (vsock without a fix as an example). Presumably this happens because vsock does not have any inbuf at all so it ignores the length. We had the same with virtio net tx a long time ago. My suggestion is then not to fail - just cap length at the dma length set by driver. Another idea is that if dma len is 0 then don't validate at all - driver that did not add any inbufs is not going to look at length. Allowing passing NULL as length and skipping validation if len = 0 might also be a good idea. > > > > > > > > > > > > > > Second what's wrong with dma_desc_extra that we already maintain? > > > > > > Third motivation - it's part and parcel of the hardening effort yes? > > > > > > > > > > They are different. dma_desc_extra is for a descriptor ring, but this > > > > > is for a used ring. Technically we can go back to iterate on the > > > > > descriptor ring for a legal used in buffer length. But it will have > > > > > worse performance. > > > > > > > > I don't really understand. We already iterate when we unmap - > > > > all that is necessary is to subtract it from used length, if at > > > > the end of the process it is >0 then we know used length is too > > > > large. > > > > > > Yes, but it is the job that is done in the driver level not the virtio > > > core. > > > > What job? > > I meant the driver can do the validation since it has the knowledge of > the buffer length if it wants. It does not necessarily have it - not if virtio is doing DMA mapping. > > unmap is done in detach_buf_split and detach_buf_packed respectively. > > vring_desc_extra isn't even visible outside drivers/virtio/virtio_ring.c > > desc_extra doesn't contain buffer length for the case of indirect > descriptors. So we need to iterate in the descriptors when it looks > expensive if we don't need unmap. > > Thanks Well at the moment we only don't unmap if DMA API is bypassed. And then we don't need to validate length either. Fundamentally, without ACCESS_PLATFORM device is trusted. > > > > For drivers that do unmap at driver level - I guess they can do > > validation there too. > > > > > Validation in virtio core is still necessary since they're > > > working at different levels and it's hard to force the validation in > > > all drivers by codes. Last version introduces a > > > suppress_driver_validation to allow the driver to suppress the core > > > validation which seems not good, we need a way to force the > > > virtio_ring code to do validation before. > > > > Why do we? If driver validates length virtio_ring does not need to > > validate. If driver does not use length virtio_ring does not need to > > validate. core can provide this service for the gazillion non > > performance critical drivers that just want to keep things simple, > > but the 4-5 critical ones can do their own validation if they want to. > > > > > Or such stuff could be added > > > on top since the validation is by default anyway. > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > I'd like to know the fate of VIRTIO_HARDEN_NOTIFICATION before > > > > > > we do more hardening. If it's irrevocably broken let's rip it out? > > > > > > > > > > So the plan is > > > > > > > > > > 1) finish used ring validation (this had been proposed, merged and > > > > > reverted before notification hardening) > > > > > 2) do notification hardening on top. > > > > > > > > > > So let's leave it as is and I will do a rework after we finalize the > > > > > used ring validation. > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > > > > > > > > > --- > > > > > > > Changes since V4: > > > > > > > - drop the flat for driver to suppress the check > > > > > > > - validation is disabled by default > > > > > > > - don't do validation for legacy device > > > > > > > - rebase and support virtqueue resize > > > > > > > --- > > > > > > > drivers/virtio/virtio_ring.c | 75 ++++++++++++++++++++++++++++++++++++ > > > > > > > 1 file changed, 75 insertions(+) > > > > > > > > > > > > > > diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c > > > > > > > index 143f380baa1c..5b151605aaf8 100644 > > > > > > > --- a/drivers/virtio/virtio_ring.c > > > > > > > +++ b/drivers/virtio/virtio_ring.c > > > > > > > @@ -15,6 +15,9 @@ > > > > > > > #include > > > > > > > #include > > > > > > > > > > > > > > +static bool force_used_validation = false; > > > > > > > +module_param(force_used_validation, bool, 0444); > > > > > > > + > > > > > > > #ifdef DEBUG > > > > > > > /* For development, we want to crash whenever the ring is screwed. */ > > > > > > > #define BAD_RING(_vq, fmt, args...) \ > > > > > > > @@ -105,6 +108,9 @@ struct vring_virtqueue_split { > > > > > > > struct vring_desc_state_split *desc_state; > > > > > > > struct vring_desc_extra *desc_extra; > > > > > > > > > > > > > > + /* Maximum in buffer length, NULL means no used validation */ > > > > > > > + u32 *buflen; > > > > > > > + > > > > > > > /* DMA address and size information */ > > > > > > > dma_addr_t queue_dma_addr; > > > > > > > size_t queue_size_in_bytes; > > > > > > > @@ -145,6 +151,9 @@ struct vring_virtqueue_packed { > > > > > > > struct vring_desc_state_packed *desc_state; > > > > > > > struct vring_desc_extra *desc_extra; > > > > > > > > > > > > > > + /* Maximum in buffer length, NULL means no used validation */ > > > > > > > + u32 *buflen; > > > > > > > + > > > > > > > /* DMA address and size information */ > > > > > > > dma_addr_t ring_dma_addr; > > > > > > > dma_addr_t driver_event_dma_addr; > > > > > > > @@ -552,6 +561,7 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, > > > > > > > unsigned int i, n, avail, descs_used, prev, err_idx; > > > > > > > int head; > > > > > > > bool indirect; > > > > > > > + u32 buflen = 0; > > > > > > > > > > > > > > START_USE(vq); > > > > > > > > > > > > > > @@ -635,6 +645,7 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, > > > > > > > VRING_DESC_F_NEXT | > > > > > > > VRING_DESC_F_WRITE, > > > > > > > indirect); > > > > > > > + buflen += sg->length; > > > > > > > } > > > > > > > } > > > > > > > /* Last one doesn't continue. */ > > > > > > > @@ -675,6 +686,10 @@ static inline int virtqueue_add_split(struct virtqueue *_vq, > > > > > > > else > > > > > > > vq->split.desc_state[head].indir_desc = ctx; > > > > > > > > > > > > > > + /* Store in buffer length if necessary */ > > > > > > > + if (vq->split.buflen) > > > > > > > + vq->split.buflen[head] = buflen; > > > > > > > + > > > > > > > /* Put entry in available array (but don't update avail->idx until they > > > > > > > * do sync). */ > > > > > > > avail = vq->split.avail_idx_shadow & (vq->split.vring.num - 1); > > > > > > > @@ -861,6 +876,11 @@ static void *virtqueue_get_buf_ctx_split(struct virtqueue *_vq, > > > > > > > BAD_RING(vq, "id %u is not a head!\n", i); > > > > > > > return NULL; > > > > > > > } > > > > > > > + if (vq->split.buflen && unlikely(*len > vq->split.buflen[i])) { > > > > > > > + BAD_RING(vq, "used len %d is larger than max in buffer len %u\n", > > > > > > > + *len, vq->split.buflen[i]); > > > > > > > + return NULL; > > > > > > > + } > > > > > > > > > > > > > > /* detach_buf_split clears data, so grab it now. */ > > > > > > > ret = vq->split.desc_state[i].data; > > > > > > > @@ -1085,10 +1105,25 @@ static void vring_free_split(struct vring_virtqueue_split *vring_split, > > > > > > > vring_split->queue_dma_addr, > > > > > > > dma_dev); > > > > > > > > > > > > > > + kfree(vring_split->buflen); > > > > > > > kfree(vring_split->desc_state); > > > > > > > kfree(vring_split->desc_extra); > > > > > > > } > > > > > > > > > > > > > > +static bool vring_needs_used_validation(const struct virtio_device *vdev) > > > > > > > +{ > > > > > > > + /* > > > > > > > + * Several legacy devices are known to produce buggy used > > > > > > > + * length. In order to let driver work, we won't validate used > > > > > > > + * buffer length in this case. > > > > > > > + */ > > > > > > > + if (!virtio_has_feature(vdev, VIRTIO_F_VERSION_1)) > > > > > > > + return false; > > > > > > > + if (force_used_validation) > > > > > > > + return true; > > > > > > > + return false; > > > > > > > +} > > > > > > > + > > > > > > > static int vring_alloc_queue_split(struct vring_virtqueue_split *vring_split, > > > > > > > struct virtio_device *vdev, > > > > > > > u32 num, > > > > > > > @@ -1137,7 +1172,19 @@ static int vring_alloc_queue_split(struct vring_virtqueue_split *vring_split, > > > > > > > vring_split->vring_align = vring_align; > > > > > > > vring_split->may_reduce_num = may_reduce_num; > > > > > > > > > > > > > > + if (vring_needs_used_validation(vdev)) { > > > > > > > + vring_split->buflen = > > > > > > > + kmalloc_array(num, sizeof(*vring_split->buflen), > > > > > > > + GFP_KERNEL); > > > > > > > + if (!vring_split->buflen) > > > > > > > + goto err_buflen; > > > > > > > + } > > > > > > > + > > > > > > > return 0; > > > > > > > + > > > > > > > +err_buflen: > > > > > > > + vring_free_split(vring_split, vdev, dma_dev); > > > > > > > + return -ENOMEM; > > > > > > > } > > > > > > > > > > > > > > static struct virtqueue *vring_create_virtqueue_split( > > > > > > > @@ -1297,6 +1344,7 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, > > > > > > > unsigned int i, n, err_idx; > > > > > > > u16 head, id; > > > > > > > dma_addr_t addr; > > > > > > > + u32 buflen = 0; > > > > > > > > > > > > > > head = vq->packed.next_avail_idx; > > > > > > > desc = alloc_indirect_packed(total_sg, gfp); > > > > > > > @@ -1325,6 +1373,8 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, > > > > > > > desc[i].addr = cpu_to_le64(addr); > > > > > > > desc[i].len = cpu_to_le32(sg->length); > > > > > > > i++; > > > > > > > + if (n >= out_sgs) > > > > > > > + buflen += sg->length; > > > > > > > } > > > > > > > } > > > > > > > > > > > > > > @@ -1379,6 +1429,10 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, > > > > > > > vq->packed.desc_state[id].last = id; > > > > > > > vq->packed.desc_state[id].premapped = premapped; > > > > > > > > > > > > > > + /* Store in buffer length if necessary */ > > > > > > > + if (vq->packed.buflen) > > > > > > > + vq->packed.buflen[id] = buflen; > > > > > > > + > > > > > > > vq->num_added += 1; > > > > > > > > > > > > > > pr_debug("Added buffer head %i to %p\n", head, vq); > > > > > > > @@ -1416,6 +1470,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, > > > > > > > __le16 head_flags, flags; > > > > > > > u16 head, id, prev, curr, avail_used_flags; > > > > > > > int err; > > > > > > > + u32 buflen = 0; > > > > > > > > > > > > > > START_USE(vq); > > > > > > > > > > > > > > @@ -1498,6 +1553,8 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, > > > > > > > 1 << VRING_PACKED_DESC_F_AVAIL | > > > > > > > 1 << VRING_PACKED_DESC_F_USED; > > > > > > > } > > > > > > > + if (n >= out_sgs) > > > > > > > + buflen += sg->length; > > > > > > > } > > > > > > > } > > > > > > > > > > > > > > @@ -1518,6 +1575,10 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, > > > > > > > vq->packed.desc_state[id].last = prev; > > > > > > > vq->packed.desc_state[id].premapped = premapped; > > > > > > > > > > > > > > + /* Store in buffer length if necessary */ > > > > > > > + if (vq->packed.buflen) > > > > > > > + vq->packed.buflen[id] = buflen; > > > > > > > + > > > > > > > /* > > > > > > > * A driver MUST NOT make the first descriptor in the list > > > > > > > * available before all subsequent descriptors comprising > > > > > > > @@ -1718,6 +1779,11 @@ static void *virtqueue_get_buf_ctx_packed(struct virtqueue *_vq, > > > > > > > BAD_RING(vq, "id %u is not a head!\n", id); > > > > > > > return NULL; > > > > > > > } > > > > > > > + if (vq->packed.buflen && unlikely(*len > vq->packed.buflen[id])) { > > > > > > > + BAD_RING(vq, "used len %d is larger than max in buffer len %u\n", > > > > > > > + *len, vq->packed.buflen[id]); > > > > > > > + return NULL; > > > > > > > + } > > > > > > > > > > > > > > /* detach_buf_packed clears data, so grab it now. */ > > > > > > > ret = vq->packed.desc_state[id].data; > > > > > > > @@ -1937,6 +2003,7 @@ static void vring_free_packed(struct vring_virtqueue_packed *vring_packed, > > > > > > > vring_packed->device_event_dma_addr, > > > > > > > dma_dev); > > > > > > > > > > > > > > + kfree(vring_packed->buflen); > > > > > > > kfree(vring_packed->desc_state); > > > > > > > kfree(vring_packed->desc_extra); > > > > > > > } > > > > > > > @@ -1988,6 +2055,14 @@ static int vring_alloc_queue_packed(struct vring_virtqueue_packed *vring_packed, > > > > > > > > > > > > > > vring_packed->vring.num = num; > > > > > > > > > > > > > > + if (vring_needs_used_validation(vdev)) { > > > > > > > + vring_packed->buflen = > > > > > > > + kmalloc_array(num, sizeof(*vring_packed->buflen), > > > > > > > + GFP_KERNEL); > > > > > > > + if (!vring_packed->buflen) > > > > > > > + goto err; > > > > > > > + } > > > > > > > + > > > > > > > return 0; > > > > > > > > > > > > > > err: > > > > > > > -- > > > > > > > 2.25.1 > > > > > > > > > > > >