| Message ID | 20221126040000.775914-1-harshit.m.mogalapalli@oracle.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp4446162wrr;
Fri, 25 Nov 2022 20:03:27 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf5Kv3WCUzW0e62GgVE9U3Gg3l7TBT4PCmGQg/twSYLdaDIhzf9S3vttHAP/gE8CPMxVk5Fa
X-Received: by 2002:a17:90b:46ca:b0:212:ce2d:9fd7 with SMTP id
jx10-20020a17090b46ca00b00212ce2d9fd7mr44418205pjb.157.1669435407321;
Fri, 25 Nov 2022 20:03:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669435407; cv=none;
d=google.com; s=arc-20160816;
b=p+V1U+7RNMQpyoKslGmEZgqcEnQe3E9AfFyxS49o90WIO5NjdWsCGxxWmKk1iaMn3J
nL9e/w6kitU20HDq4sEphCONFjlbSVdzuuWi0vYUkhkyEgxMEFeGZMCfVKwCL4+NdtfZ
3TKEKb8NVHuKq3lUu/iVKf4JBj7kXIrFHFySzefdhyeOD3uFuR7Y48g8q1DFoDucXjAg
5qhmeEmdT0SzMlKTCRVba38Dnngu50hg4GiBsiBda2iWz7YOaw0ezDhaUU4rmHdYIBlY
Ou/HbYH19IYueAmZjrvJPxreXQbKVTrx/kqzyHKsXYXu29DfBWR3nkDykNZ7FDH6VXfJ
FeqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:to:content-transfer-encoding:mime-version
:message-id:date:subject:cc:from:dkim-signature;
bh=86FpH3oiEaRToGTOfAbl1a68NK0H++B6xU/ccV5PssI=;
b=mwSToTzoZwdIg2mzIPllwMETko0va/BxYeZJ5pHLXp5w81jgRgZv1qvPLUKZr4Zxhq
h1LPet8VrL4Duk6Sx7XA6hHmP01B4nrr+dnjkXR9b7bbe3Kmj6OSQClY+XYljJ00+7GV
dha0QKbPPRjB1NCc6ulR+Oxhxu1vVa28mIYzsHUN9J1V0moDhCnjB1AOEm5eR6+oeR3v
M52eDL8fNMX6r6OFuGRvhyhB1yW066UHKJ1yfSTkK25eEkkL/QN+SM6ZQsOf8wckV8Mc
1vHTmRjWUB5FYkQZN5fAxizmWr5L07lsUjjwDOh59OcyHH+ZQPcue+ZSnEXb1U0/bMuR
E4/w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@oracle.com header.s=corp-2022-7-12
header.b=SxijZMQU;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
g24-20020a63fa58000000b0044b5e15db73si4739884pgk.249.2022.11.25.20.03.11;
Fri, 25 Nov 2022 20:03:27 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=fail header.i=@oracle.com header.s=corp-2022-7-12
header.b=SxijZMQU;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229810AbiKZEAh (ORCPT <rfc822;zxc52fgh@gmail.com> + 99 others);
Fri, 25 Nov 2022 23:00:37 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52750 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229514AbiKZEAf (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 25 Nov 2022 23:00:35 -0500
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com
[205.220.165.32])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8863C2CCB7
for <linux-kernel@vger.kernel.org>;
Fri, 25 Nov 2022 20:00:33 -0800 (PST)
Received: from pps.filterd (m0246627.ppops.net [127.0.0.1])
by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
2AQ390WW005777;
Sat, 26 Nov 2022 04:00:23 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
h=from : to : cc :
subject : date : message-id : mime-version : content-transfer-encoding;
s=corp-2022-7-12; bh=86FpH3oiEaRToGTOfAbl1a68NK0H++B6xU/ccV5PssI=;
b=SxijZMQUN0pbxslbw01JRRVyFEhksxWOUlSz8H62yoDjPN8gGBidEwFqNSNssg98+muA
ESVjwVx5mzPo3gXvG9eBAlNP1EXJs7TKqz8T8s6Ie+LkHT0PVTQpDB9vWSS7uLYVyQ27
Y3bGx87XgUIR124JSiX1shSmPqkErCNiETThLaRwm7aO+E9qFI7A/JxIWdXmWPczTHjh
n78ewfLrptFViNxAH/NkC0roECjR3rz8x8jnahkhMLOfVgS6EOvNmsyD+VpQEXvK7b8o
NSFO6GwBNc4cflBSi4sv/tQaOj48PxrmF6jPYxcBhp1l8dHVFmWG78JWBHpQn7gS5/UC qQ==
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(iadpaimrmta03.appoci.oracle.com [130.35.103.27])
by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3m39dfr2d6-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Sat, 26 Nov 2022 04:00:22 +0000
Received: from pps.filterd
(iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(8.17.1.5/8.17.1.5) with ESMTP id 2AQ1XkV4007555;
Sat, 26 Nov 2022 04:00:21 GMT
Received: from pps.reinject (localhost [127.0.0.1])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with
ESMTPS id 3m3988c6pa-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Sat, 26 Nov 2022 04:00:21 +0000
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com
(iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1])
by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 2AQ40KIw039282;
Sat, 26 Nov 2022 04:00:20 GMT
Received: from ca-dev112.us.oracle.com (ca-dev112.us.oracle.com
[10.129.136.47])
by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with
ESMTP id 3m3988c6jw-1;
Sat, 26 Nov 2022 04:00:20 +0000
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Cc: harshit.m.mogalapalli@oracle.com, error27@gmail.com,
harshit.m.mogalapalli@gmail.com,
"Michael S. Tsirkin" <mst@redhat.com>,
Jason Wang <jasowang@redhat.com>,
Xie Yongji <xieyongji@bytedance.com>,
Gautam Dawar <gautam.dawar@xilinx.com>,
Maxime Coquelin <maxime.coquelin@redhat.com>,
Guanjun <guanjun@linux.alibaba.com>,
Parav Pandit <parav@nvidia.com>, Eli Cohen <elic@nvidia.com>,
virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: [PATCH] vduse: Fix a possible warning in vduse_create_dev()
Date: Fri, 25 Nov 2022 19:59:58 -0800
Message-Id: <20221126040000.775914-1-harshit.m.mogalapalli@oracle.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1
definitions=2022-11-26_02,2022-11-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
suspectscore=0 phishscore=0
mlxlogscore=999 mlxscore=0 adultscore=0 bulkscore=0 malwarescore=0
classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000
definitions=main-2211260029
X-Proofpoint-ORIG-GUID: _Sfm4z2GCsIcp460MDMbNp7fhdcBRdKI
X-Proofpoint-GUID: _Sfm4z2GCsIcp460MDMbNp7fhdcBRdKI
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1750529901577399249?=
X-GMAIL-MSGID: =?utf-8?q?1750529901577399249?=
|
| Series |
vduse: Fix a possible warning in vduse_create_dev()
|
|
Commit Message
Harshit Mogalapalli
Nov. 26, 2022, 3:59 a.m. UTC
As 'dev->vq_num' is user-controlled data, if user tries to allocate
memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
creates a stack trace and messes up dmesg with a warning.
Call trace:
-> vduse_ioctl
--> vduse_create_dev
'config->vq_num' is user data as it comes from ioctl, which is
assigned to 'dev->vq_num'.
Add __GFP_NOWARN in order to avoid too large allocation warning.
This is detected by static analysis using smatch.
Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: > As 'dev->vq_num' is user-controlled data, if user tries to allocate > memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it > creates a stack trace and messes up dmesg with a warning. > > Call trace: > -> vduse_ioctl > --> vduse_create_dev > 'config->vq_num' is user data as it comes from ioctl, which is > assigned to 'dev->vq_num'. > > Add __GFP_NOWARN in order to avoid too large allocation warning. > This is detected by static analysis using smatch. > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > --- > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index 35dceee3ed56..5e9546b16165 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > dev->config_size = config->config_size; > dev->vq_align = config->vq_align; > dev->vq_num = config->vq_num; > - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); > + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), > + GFP_KERNEL | __GFP_NOWARN); > if (!dev->vqs) > goto err_vqs; This is insufficient - the real source of the problem is that vq_num is not validated. The thing to do is to validate config and limit vq_num to 0xffff; > -- > 2.38.1
Hi Micheal, On 27/11/22 4:52 am, Michael S. Tsirkin wrote: > On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: >> As 'dev->vq_num' is user-controlled data, if user tries to allocate >> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it >> creates a stack trace and messes up dmesg with a warning. >> >> Call trace: >> -> vduse_ioctl >> --> vduse_create_dev >> 'config->vq_num' is user data as it comes from ioctl, which is >> assigned to 'dev->vq_num'. >> >> Add __GFP_NOWARN in order to avoid too large allocation warning. >> This is detected by static analysis using smatch. >> >> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") >> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> >> --- >> drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c >> index 35dceee3ed56..5e9546b16165 100644 >> --- a/drivers/vdpa/vdpa_user/vduse_dev.c >> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c >> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, >> dev->config_size = config->config_size; >> dev->vq_align = config->vq_align; >> dev->vq_num = config->vq_num; >> - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); >> + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), >> + GFP_KERNEL | __GFP_NOWARN); >> if (!dev->vqs) >> goto err_vqs; > Thanks for checking the patch. > This is insufficient - the real source of the problem is that > vq_num is not validated. > The thing to do is to validate config and limit vq_num to 0xffff; > 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, 1558 unsigned long arg) 1559 { 1560 int ret; 1561 void __user *argp = (void __user *)arg; 1564 mutex_lock(&vduse_lock); 1565 switch (cmd) { .... 1584 case VDUSE_CREATE_DEV: { 1585 struct vduse_dev_config config; 1587 void *buf; 1588 1589 ret = -EFAULT; 1590 if (copy_from_user(&config, argp, size)) 1591 break; 1592 1593 ret = -EINVAL; 1594 if (vduse_validate_config(&config) == false) 1595 break; 1596 1597 buf = vmemdup_user(argp + size, config.config_size); 1598 if (IS_ERR(buf)) { 1599 ret = PTR_ERR(buf); 1600 break; 1601 } 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; 1603 ret = vduse_create_dev(&config, buf, control->api_version); 1604 if (ret) 1605 kvfree(buf); 1606 break; 1607 } we have vduse_validate_config() being called in vduse_ioctl() which is the caller of vduse_create_dev(), so validate_config() is not necessary in vduse_create_dev() ? Thanks, Harshit > >> -- >> 2.38.1 >
On Sun, Nov 27, 2022 at 08:16:24AM +0530, Harshit Mogalapalli wrote: > Hi Micheal, > > On 27/11/22 4:52 am, Michael S. Tsirkin wrote: > > On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: > > > As 'dev->vq_num' is user-controlled data, if user tries to allocate > > > memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it > > > creates a stack trace and messes up dmesg with a warning. > > > > > > Call trace: > > > -> vduse_ioctl > > > --> vduse_create_dev > > > 'config->vq_num' is user data as it comes from ioctl, which is > > > assigned to 'dev->vq_num'. > > > > > > Add __GFP_NOWARN in order to avoid too large allocation warning. > > > This is detected by static analysis using smatch. > > > > > > Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") > > > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> > > > --- > > > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > > > index 35dceee3ed56..5e9546b16165 100644 > > > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > > > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > > > @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, > > > dev->config_size = config->config_size; > > > dev->vq_align = config->vq_align; > > > dev->vq_num = config->vq_num; > > > - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); > > > + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), > > > + GFP_KERNEL | __GFP_NOWARN); > > > if (!dev->vqs) > > > goto err_vqs; > > > > Thanks for checking the patch. > > > This is insufficient - the real source of the problem is that > > vq_num is not validated. > > The thing to do is to validate config and limit vq_num to 0xffff; > > > > 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, > 1558 unsigned long arg) > 1559 { > 1560 int ret; > 1561 void __user *argp = (void __user *)arg; > 1564 mutex_lock(&vduse_lock); > 1565 switch (cmd) { > .... > 1584 case VDUSE_CREATE_DEV: { > 1585 struct vduse_dev_config config; > 1587 void *buf; > 1588 > 1589 ret = -EFAULT; > 1590 if (copy_from_user(&config, argp, size)) > 1591 break; > 1592 > 1593 ret = -EINVAL; > 1594 if (vduse_validate_config(&config) == false) > 1595 break; > 1596 > 1597 buf = vmemdup_user(argp + size, config.config_size); > 1598 if (IS_ERR(buf)) { > 1599 ret = PTR_ERR(buf); > 1600 break; > 1601 } > 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; > 1603 ret = vduse_create_dev(&config, buf, > control->api_version); > 1604 if (ret) > 1605 kvfree(buf); > 1606 break; > 1607 } > > we have vduse_validate_config() being called in vduse_ioctl() which is the > caller of vduse_create_dev(), so validate_config() is not necessary in > vduse_create_dev() ? > > Thanks, > Harshit OK but I don't see vduse_validate_config checking vq_num. > > > > > -- > > > 2.38.1 > >
Btw, after you add the check to vduse_validate_config() you can test that it silences the Smatch warning by doing: kchecker --info drivers/vdpa/vdpa_user/vduse_dev.c | tee out ~/smatch/smatch_data/db/reload_partial.sh out kchecker drivers/vdpa/vdpa_user/vduse_dev.c You might need to do a second --info and reload for the changes to propagate. regards, dan carpenter
Hi Micheal, On 27/11/22 10:04 pm, Michael S. Tsirkin wrote: > On Sun, Nov 27, 2022 at 08:16:24AM +0530, Harshit Mogalapalli wrote: >> Hi Micheal, >> >> On 27/11/22 4:52 am, Michael S. Tsirkin wrote: >>> On Fri, Nov 25, 2022 at 07:59:58PM -0800, Harshit Mogalapalli wrote: >>>> As 'dev->vq_num' is user-controlled data, if user tries to allocate >>>> memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it >>>> creates a stack trace and messes up dmesg with a warning. >>>> >>>> Call trace: >>>> -> vduse_ioctl >>>> --> vduse_create_dev >>>> 'config->vq_num' is user data as it comes from ioctl, which is >>>> assigned to 'dev->vq_num'. >>>> >>>> Add __GFP_NOWARN in order to avoid too large allocation warning. >>>> This is detected by static analysis using smatch. >>>> >>>> Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") >>>> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> >>>> --- >>>> drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- >>>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c >>>> index 35dceee3ed56..5e9546b16165 100644 >>>> --- a/drivers/vdpa/vdpa_user/vduse_dev.c >>>> +++ b/drivers/vdpa/vdpa_user/vduse_dev.c >>>> @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, >>>> dev->config_size = config->config_size; >>>> dev->vq_align = config->vq_align; >>>> dev->vq_num = config->vq_num; >>>> - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); >>>> + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), >>>> + GFP_KERNEL | __GFP_NOWARN); >>>> if (!dev->vqs) >>>> goto err_vqs; >>> >> >> Thanks for checking the patch. >> >>> This is insufficient - the real source of the problem is that >>> vq_num is not validated. >>> The thing to do is to validate config and limit vq_num to 0xffff; >>> >> >> 1557 static long vduse_ioctl(struct file *file, unsigned int cmd, >> 1558 unsigned long arg) >> 1559 { >> 1560 int ret; >> 1561 void __user *argp = (void __user *)arg; >> 1564 mutex_lock(&vduse_lock); >> 1565 switch (cmd) { >> .... >> 1584 case VDUSE_CREATE_DEV: { >> 1585 struct vduse_dev_config config; >> 1587 void *buf; >> 1588 >> 1589 ret = -EFAULT; >> 1590 if (copy_from_user(&config, argp, size)) >> 1591 break; >> 1592 >> 1593 ret = -EINVAL; >> 1594 if (vduse_validate_config(&config) == false) >> 1595 break; >> 1596 >> 1597 buf = vmemdup_user(argp + size, config.config_size); >> 1598 if (IS_ERR(buf)) { >> 1599 ret = PTR_ERR(buf); >> 1600 break; >> 1601 } >> 1602 config.name[VDUSE_NAME_MAX - 1] = '\0'; >> 1603 ret = vduse_create_dev(&config, buf, >> control->api_version); >> 1604 if (ret) >> 1605 kvfree(buf); >> 1606 break; >> 1607 } >> >> we have vduse_validate_config() being called in vduse_ioctl() which is the >> caller of vduse_create_dev(), so validate_config() is not necessary in >> vduse_create_dev() ? >> >> Thanks, >> Harshit > > OK but I don't see vduse_validate_config checking vq_num. > right, I have added a limit of 0xffff to vq_num as you suggested in V2. The reason for keeping the limit as 0xffff is the max number of virt queues is the size of vring buffer? Thanks, Harshit >>> >>>> -- >>>> 2.38.1 >>> >
diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index 35dceee3ed56..5e9546b16165 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -1512,7 +1512,8 @@ static int vduse_create_dev(struct vduse_dev_config *config, dev->config_size = config->config_size; dev->vq_align = config->vq_align; dev->vq_num = config->vq_num; - dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), GFP_KERNEL); + dev->vqs = kcalloc(dev->vq_num, sizeof(*dev->vqs), + GFP_KERNEL | __GFP_NOWARN); if (!dev->vqs) goto err_vqs;