| Message ID | 20230203094230.266952-7-thuth@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp744332wrn;
Fri, 3 Feb 2023 01:59:36 -0800 (PST)
X-Google-Smtp-Source:
AK7set89fGcjCMIin5JvwRsL4LJ6T3fSV9pxobAwz5azAuHHVCj0Q/flvXiwUmjf/wyTBJskaw89
X-Received: by 2002:aa7:c552:0:b0:4a0:8bcc:3cbc with SMTP id
s18-20020aa7c552000000b004a08bcc3cbcmr8987877edr.25.1675418376518;
Fri, 03 Feb 2023 01:59:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675418376; cv=none;
d=google.com; s=arc-20160816;
b=BGCTtlGoBeP2bIgaO48DKu96dJxBKkgQOxfU/tjgRE7EZ6NeYh6QoZRF4hHyU6G+U9
omxEySEfvT1Yss+GW6mm+Q/ovShwTR2IFrtnY28e9MQJat2exU4AzLOKBVZ53B3dj6Y7
/fX/z/oJcV8UctnlcZZKjXffF4pw1gL97pcEsVedJtgM+r8oSSz3zg1TeiSBK18LL3BH
+kY5Mdbnn8N09gk07bkBMPQoVtJEX/95VWYW8JxWLXJoy+yhKFzP2WpKlQxXY10FNzrf
ktVTp/ICfb0qK+MqFcgH1YLcwYt+J3qM+8/Tw1WtrUi5n6LwbwxC8U234rPTrDyhj+/c
eyog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=/sw5RAfO/TETjhBCbaE2sbk1k6OIXCummMa6Dx6bagw=;
b=Cmm8w+oIsDWgMf3yaikBGgR7PJdxRaYqBZlta8AaT42o9T3bfgjEFWr0KfdeTPKpVl
5ETjY/uBhKR+UGQzkuWVdRV6aymIx0qcLweFwextBKRP+BsdML2yE4i6DWkfskwprWWP
sLDX5UwnzkjRbp+8jRukDPMoR1/Q5BaYBYk120/Cp0tH6qA+4f7RPtnUK3tFzttSk5wc
NmBesDtbOejly9m8GNZI2elUH/eduFNbegubzDFsWZiCiJh8S3YAhgdR6K/CBQHDa5Uj
mTqsXzBVtE63wCQi9aksQZxd6MZHyTqeTmsjeJrhkc7z3b6Xsq58cPmXBXbWTGBM2WOF
UwwA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=hu2K2q0x;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
fg13-20020a056402548d00b004a258718d9csi2182766edb.294.2023.02.03.01.59.11;
Fri, 03 Feb 2023 01:59:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=hu2K2q0x;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233083AbjBCJoG (ORCPT <rfc822;il.mystafa@gmail.com> + 99 others);
Fri, 3 Feb 2023 04:44:06 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35798 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232866AbjBCJnu (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 3 Feb 2023 04:43:50 -0500
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B1AA1125B5
for <linux-kernel@vger.kernel.org>;
Fri, 3 Feb 2023 01:43:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1675417382;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=/sw5RAfO/TETjhBCbaE2sbk1k6OIXCummMa6Dx6bagw=;
b=hu2K2q0xzDLsv87fF5KCw626Wa5zKLJvL9KQcoslN6E6Y3lyXNF70fvqn8TEZ7SCAcbf95
eTCLOnfkL7Z51dI16uP06K3RgbgXHbMe6AEF4BPfL8LBfJq1yDCe9W9/NgRgcGkOx4TxdU
hPF96KWj/qxhMYrU0crcU+3Qe3Pe+7E=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
[66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
us-mta-108-0lzC7SKGN0GZYvjAe5j_5Q-1; Fri, 03 Feb 2023 04:42:59 -0500
X-MC-Unique: 0lzC7SKGN0GZYvjAe5j_5Q-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
[10.11.54.2])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 99CE71C05B0C;
Fri, 3 Feb 2023 09:42:58 +0000 (UTC)
Received: from thuth.com (unknown [10.39.192.204])
by smtp.corp.redhat.com (Postfix) with ESMTP id 0461740ED76D;
Fri, 3 Feb 2023 09:42:55 +0000 (UTC)
From: Thomas Huth <thuth@redhat.com>
To: kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>
Cc: kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org,
kvm-riscv@lists.infradead.org, Marc Zyngier <maz@kernel.org>,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Zenghui Yu <yuzenghui@huawei.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Janosch Frank <frankja@linux.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
David Hildenbrand <david@redhat.com>,
linuxppc-dev@lists.ozlabs.org
Subject: [PATCH 6/7] KVM: arm64: Change return type of
kvm_vm_ioctl_mte_copy_tags() to "int"
Date: Fri, 3 Feb 2023 10:42:29 +0100
Message-Id: <20230203094230.266952-7-thuth@redhat.com>
In-Reply-To: <20230203094230.266952-1-thuth@redhat.com>
References: <20230203094230.266952-1-thuth@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756803499449305402?=
X-GMAIL-MSGID: =?utf-8?q?1756803499449305402?=
|
| Series |
KVM: Standardize on "int" return types instead of "long"
|
|
Commit Message
Thomas Huth
Feb. 3, 2023, 9:42 a.m. UTC
This function only returns normal integer values, so there is
no need to declare its return value as "long".
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
arch/arm64/include/asm/kvm_host.h | 4 ++--
arch/arm64/kvm/guest.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
Comments
Hi Thomas, On 2/3/23 8:42 PM, Thomas Huth wrote: > This function only returns normal integer values, so there is > no need to declare its return value as "long". > > Signed-off-by: Thomas Huth <thuth@redhat.com> > --- > arch/arm64/include/asm/kvm_host.h | 4 ++-- > arch/arm64/kvm/guest.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h > index 35a159d131b5..b1a16343767f 100644 > --- a/arch/arm64/include/asm/kvm_host.h > +++ b/arch/arm64/include/asm/kvm_host.h > @@ -963,8 +963,8 @@ int kvm_arm_vcpu_arch_get_attr(struct kvm_vcpu *vcpu, > int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, > struct kvm_device_attr *attr); > > -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > - struct kvm_arm_copy_mte_tags *copy_tags); > +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > + struct kvm_arm_copy_mte_tags *copy_tags); > > /* Guest/host FPSIMD coordination helpers */ > int kvm_arch_vcpu_run_map_fp(struct kvm_vcpu *vcpu); > diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c > index cf4c495a4321..80e530549c34 100644 > --- a/arch/arm64/kvm/guest.c > +++ b/arch/arm64/kvm/guest.c > @@ -1013,8 +1013,8 @@ int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, > return ret; > } > > -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > - struct kvm_arm_copy_mte_tags *copy_tags) > +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > + struct kvm_arm_copy_mte_tags *copy_tags) > { > gpa_t guest_ipa = copy_tags->guest_ipa; > size_t length = copy_tags->length; > It's possible for the function to return number of bytes have been copied. Its type is 'size_t', same to 'unsigned long'. So 'int' doesn't have sufficient space for it if I'm correct. long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, struct kvm_arm_copy_mte_tags *copy_tags) { gpa_t guest_ipa = copy_tags->guest_ipa; size_t length = copy_tags->length; : : out: mutex_unlock(&kvm->slots_lock); /* If some data has been copied report the number of bytes copied */ if (length != copy_tags->length) return copy_tags->length - length; return ret; } Thanks, Gavin
On 07/02/2023 01.09, Gavin Shan wrote: > Hi Thomas, > > On 2/3/23 8:42 PM, Thomas Huth wrote: >> This function only returns normal integer values, so there is >> no need to declare its return value as "long". >> >> Signed-off-by: Thomas Huth <thuth@redhat.com> >> --- >> arch/arm64/include/asm/kvm_host.h | 4 ++-- >> arch/arm64/kvm/guest.c | 4 ++-- >> 2 files changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/arch/arm64/include/asm/kvm_host.h >> b/arch/arm64/include/asm/kvm_host.h >> index 35a159d131b5..b1a16343767f 100644 >> --- a/arch/arm64/include/asm/kvm_host.h >> +++ b/arch/arm64/include/asm/kvm_host.h >> @@ -963,8 +963,8 @@ int kvm_arm_vcpu_arch_get_attr(struct kvm_vcpu *vcpu, >> int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, >> struct kvm_device_attr *attr); >> -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >> - struct kvm_arm_copy_mte_tags *copy_tags); >> +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >> + struct kvm_arm_copy_mte_tags *copy_tags); >> /* Guest/host FPSIMD coordination helpers */ >> int kvm_arch_vcpu_run_map_fp(struct kvm_vcpu *vcpu); >> diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c >> index cf4c495a4321..80e530549c34 100644 >> --- a/arch/arm64/kvm/guest.c >> +++ b/arch/arm64/kvm/guest.c >> @@ -1013,8 +1013,8 @@ int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, >> return ret; >> } >> -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >> - struct kvm_arm_copy_mte_tags *copy_tags) >> +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >> + struct kvm_arm_copy_mte_tags *copy_tags) >> { >> gpa_t guest_ipa = copy_tags->guest_ipa; >> size_t length = copy_tags->length; >> > > It's possible for the function to return number of bytes have been copied. > Its type is 'size_t', same to 'unsigned long'. So 'int' doesn't have sufficient > space for it if I'm correct. > > long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > struct kvm_arm_copy_mte_tags *copy_tags) > { > gpa_t guest_ipa = copy_tags->guest_ipa; > size_t length = copy_tags->length; > : > : > out: > mutex_unlock(&kvm->slots_lock); > /* If some data has been copied report the number of bytes copied */ > if (length != copy_tags->length) > return copy_tags->length - length; > return ret; > } Oh, drat, I thought I had checked all return statements ... this must have fallen through the cracks, sorry! Anyway, this is already a problem now: The function is called from kvm_arch_vm_ioctl() (which still returns a long), which in turn is called from kvm_vm_ioctl() in virt/kvm/kvm_main.c. And that functions stores the return value in an "int r" variable. So the upper bits are already lost there. Also, how is this supposed to work from user space? The normal "ioctl()" libc function just returns an "int" ? Is this ioctl already used in a userspace application somewhere? ... at least in QEMU, I didn't spot it yet... Thomas
On 2/7/23 9:09 PM, Thomas Huth wrote: > On 07/02/2023 01.09, Gavin Shan wrote: >> Hi Thomas, >> >> On 2/3/23 8:42 PM, Thomas Huth wrote: >>> This function only returns normal integer values, so there is >>> no need to declare its return value as "long". >>> >>> Signed-off-by: Thomas Huth <thuth@redhat.com> >>> --- >>> arch/arm64/include/asm/kvm_host.h | 4 ++-- >>> arch/arm64/kvm/guest.c | 4 ++-- >>> 2 files changed, 4 insertions(+), 4 deletions(-) >>> >>> diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h >>> index 35a159d131b5..b1a16343767f 100644 >>> --- a/arch/arm64/include/asm/kvm_host.h >>> +++ b/arch/arm64/include/asm/kvm_host.h >>> @@ -963,8 +963,8 @@ int kvm_arm_vcpu_arch_get_attr(struct kvm_vcpu *vcpu, >>> int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, >>> struct kvm_device_attr *attr); >>> -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >>> - struct kvm_arm_copy_mte_tags *copy_tags); >>> +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >>> + struct kvm_arm_copy_mte_tags *copy_tags); >>> /* Guest/host FPSIMD coordination helpers */ >>> int kvm_arch_vcpu_run_map_fp(struct kvm_vcpu *vcpu); >>> diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c >>> index cf4c495a4321..80e530549c34 100644 >>> --- a/arch/arm64/kvm/guest.c >>> +++ b/arch/arm64/kvm/guest.c >>> @@ -1013,8 +1013,8 @@ int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, >>> return ret; >>> } >>> -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >>> - struct kvm_arm_copy_mte_tags *copy_tags) >>> +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >>> + struct kvm_arm_copy_mte_tags *copy_tags) >>> { >>> gpa_t guest_ipa = copy_tags->guest_ipa; >>> size_t length = copy_tags->length; >>> >> >> It's possible for the function to return number of bytes have been copied. >> Its type is 'size_t', same to 'unsigned long'. So 'int' doesn't have sufficient >> space for it if I'm correct. >> >> long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, >> struct kvm_arm_copy_mte_tags *copy_tags) >> { >> gpa_t guest_ipa = copy_tags->guest_ipa; >> size_t length = copy_tags->length; >> : >> : >> out: >> mutex_unlock(&kvm->slots_lock); >> /* If some data has been copied report the number of bytes copied */ >> if (length != copy_tags->length) >> return copy_tags->length - length; >> return ret; >> } > > Oh, drat, I thought I had checked all return statements ... this must have fallen through the cracks, sorry! > > Anyway, this is already a problem now: The function is called from kvm_arch_vm_ioctl() (which still returns a long), which in turn is called from kvm_vm_ioctl() in virt/kvm/kvm_main.c. And that functions stores the return value in an "int r" variable. So the upper bits are already lost there. > > Also, how is this supposed to work from user space? The normal "ioctl()" libc function just returns an "int" ? Is this ioctl already used in a userspace application somewhere? ... at least in QEMU, I didn't spot it yet... > The ioctl command KVM_ARM_MTE_COPY_TAGS was merged recently and not used by QEMU yet. I think struct kvm_arm_copy_mte_tags::length needs to be '__u32' instead of '__u64' in order to standardize the return value. Something like below. Documentation/virt/kvm/api.rst::section-4.130 needs update accordingly. struct kvm_arm_copy_mte_tags { __u64 guest_ipa; __u32 pad; __u32 length; void __user *addr; __u64 flags; __u64 reserved[2]; }; Thanks, Gavin
On Wed, Feb 08 2023, Gavin Shan <gshan@redhat.com> wrote: > On 2/7/23 9:09 PM, Thomas Huth wrote: >> Oh, drat, I thought I had checked all return statements ... this must have fallen through the cracks, sorry! >> >> Anyway, this is already a problem now: The function is called from kvm_arch_vm_ioctl() (which still returns a long), which in turn is called from kvm_vm_ioctl() in virt/kvm/kvm_main.c. And that functions stores the return value in an "int r" variable. So the upper bits are already lost there. >> >> Also, how is this supposed to work from user space? The normal "ioctl()" libc function just returns an "int" ? Is this ioctl already used in a userspace application somewhere? ... at least in QEMU, I didn't spot it yet... >> We will need it in QEMU to implement migration with MTE (the current proposal simply adds a migration blocker when MTE is enabled, as there are various other things that need to be figured out for this to work.) But maybe other VMMs already use it (and have been lucky because they always dealt with shorter lengths?) > > The ioctl command KVM_ARM_MTE_COPY_TAGS was merged recently and not used > by QEMU yet. I think struct kvm_arm_copy_mte_tags::length needs to be > '__u32' instead of '__u64' in order to standardize the return value. > Something like below. Documentation/virt/kvm/api.rst::section-4.130 > needs update accordingly. > > struct kvm_arm_copy_mte_tags { > __u64 guest_ipa; > __u32 pad; > __u32 length; > void __user *addr; > __u64 flags; > __u64 reserved[2]; > }; Can we do this in a more compatible way, as we are dealing with an API? Like returning -EINVAL if length is too big?
On 08/02/2023 08:49, Cornelia Huck wrote: > On Wed, Feb 08 2023, Gavin Shan <gshan@redhat.com> wrote: > >> On 2/7/23 9:09 PM, Thomas Huth wrote: >>> Oh, drat, I thought I had checked all return statements ... this must have fallen through the cracks, sorry! >>> >>> Anyway, this is already a problem now: The function is called from kvm_arch_vm_ioctl() (which still returns a long), which in turn is called from kvm_vm_ioctl() in virt/kvm/kvm_main.c. And that functions stores the return value in an "int r" variable. So the upper bits are already lost there. Sorry about that, I was caught out by kvm_arch_vm_ioctl() returning long... >>> Also, how is this supposed to work from user space? The normal "ioctl()" libc function just returns an "int" ? Is this ioctl already used in a userspace application somewhere? ... at least in QEMU, I didn't spot it yet... >>> > > We will need it in QEMU to implement migration with MTE (the current > proposal simply adds a migration blocker when MTE is enabled, as there > are various other things that need to be figured out for this to work.) > But maybe other VMMs already use it (and have been lucky because they > always dealt with shorter lengths?) > >> >> The ioctl command KVM_ARM_MTE_COPY_TAGS was merged recently and not used >> by QEMU yet. I think struct kvm_arm_copy_mte_tags::length needs to be >> '__u32' instead of '__u64' in order to standardize the return value. >> Something like below. Documentation/virt/kvm/api.rst::section-4.130 >> needs update accordingly. >> >> struct kvm_arm_copy_mte_tags { >> __u64 guest_ipa; >> __u32 pad; >> __u32 length; >> void __user *addr; >> __u64 flags; >> __u64 reserved[2]; >> }; > > Can we do this in a more compatible way, as we are dealing with an API? > Like returning -EINVAL if length is too big? > I agree the simplest fix for the problem is simply to reject any lengths>INT_MAX: diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c index cf4c495a4321..94aed7ce85c4 100644 --- a/arch/arm64/kvm/guest.c +++ b/arch/arm64/kvm/guest.c @@ -1032,6 +1032,13 @@ long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, if (copy_tags->flags & ~KVM_ARM_TAGS_FROM_GUEST) return -EINVAL; + /* + * ioctl returns int, so lengths above INT_MAX cannot be + * represented in the return value + */ + if (length > INT_MAX) + return -EINVAL; + if (length & ~PAGE_MASK || guest_ipa & ~PAGE_MASK) return -EINVAL; This could also be fixed in a useable way by including a new flag which returns the length in an output field of the ioctl structure. I'm guessing a 2GB limit would be annoying to work around. Steve
On 08/02/2023 12.51, Steven Price wrote: > On 08/02/2023 08:49, Cornelia Huck wrote: >> On Wed, Feb 08 2023, Gavin Shan <gshan@redhat.com> wrote: >> >>> On 2/7/23 9:09 PM, Thomas Huth wrote: >>>> Oh, drat, I thought I had checked all return statements ... this must have fallen through the cracks, sorry! >>>> >>>> Anyway, this is already a problem now: The function is called from kvm_arch_vm_ioctl() (which still returns a long), which in turn is called from kvm_vm_ioctl() in virt/kvm/kvm_main.c. And that functions stores the return value in an "int r" variable. So the upper bits are already lost there. > > Sorry about that, I was caught out by kvm_arch_vm_ioctl() returning long... That's why I'm trying to fix that return type mess with my series, to avoid such problems in the future :-) >>>> Also, how is this supposed to work from user space? The normal "ioctl()" libc function just returns an "int" ? Is this ioctl already used in a userspace application somewhere? ... at least in QEMU, I didn't spot it yet... >>>> >> >> We will need it in QEMU to implement migration with MTE (the current >> proposal simply adds a migration blocker when MTE is enabled, as there >> are various other things that need to be figured out for this to work.) >> But maybe other VMMs already use it (and have been lucky because they >> always dealt with shorter lengths?) >> >>> >>> The ioctl command KVM_ARM_MTE_COPY_TAGS was merged recently and not used >>> by QEMU yet. I think struct kvm_arm_copy_mte_tags::length needs to be >>> '__u32' instead of '__u64' in order to standardize the return value. >>> Something like below. Documentation/virt/kvm/api.rst::section-4.130 >>> needs update accordingly. >>> >>> struct kvm_arm_copy_mte_tags { >>> __u64 guest_ipa; >>> __u32 pad; >>> __u32 length; >>> void __user *addr; >>> __u64 flags; >>> __u64 reserved[2]; >>> }; >> >> Can we do this in a more compatible way, as we are dealing with an API? >> Like returning -EINVAL if length is too big? >> > > I agree the simplest fix for the problem is simply to reject any > lengths>INT_MAX: > > diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c > index cf4c495a4321..94aed7ce85c4 100644 > --- a/arch/arm64/kvm/guest.c > +++ b/arch/arm64/kvm/guest.c > @@ -1032,6 +1032,13 @@ long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, > if (copy_tags->flags & ~KVM_ARM_TAGS_FROM_GUEST) > return -EINVAL; > > + /* > + * ioctl returns int, so lengths above INT_MAX cannot be > + * represented in the return value > + */ > + if (length > INT_MAX) > + return -EINVAL; > + > if (length & ~PAGE_MASK || guest_ipa & ~PAGE_MASK) > return -EINVAL; > > This could also be fixed in a useable way by including a new flag which > returns the length in an output field of the ioctl structure. I'm > guessing a 2GB limit would be annoying to work around. I agree that checking for length > INT_MAX is likely the best thing to do here right now. I'll add that in v2 of my series. But actually, this might even be a good thing from another point of view (so I'm not sure whether your idea with the flag should really be pursued): The code here takes a mutex and then runs a while loop that depends on the length - which could cause the lock to be held for a rather long time if length is a 64-bit value. Forcing the user space to limit the length here could help to avoid taking the lock for too long. Thomas
diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h index 35a159d131b5..b1a16343767f 100644 --- a/arch/arm64/include/asm/kvm_host.h +++ b/arch/arm64/include/asm/kvm_host.h @@ -963,8 +963,8 @@ int kvm_arm_vcpu_arch_get_attr(struct kvm_vcpu *vcpu, int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, struct kvm_device_attr *attr); -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, - struct kvm_arm_copy_mte_tags *copy_tags); +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, + struct kvm_arm_copy_mte_tags *copy_tags); /* Guest/host FPSIMD coordination helpers */ int kvm_arch_vcpu_run_map_fp(struct kvm_vcpu *vcpu); diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c index cf4c495a4321..80e530549c34 100644 --- a/arch/arm64/kvm/guest.c +++ b/arch/arm64/kvm/guest.c @@ -1013,8 +1013,8 @@ int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu, return ret; } -long kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, - struct kvm_arm_copy_mte_tags *copy_tags) +int kvm_vm_ioctl_mte_copy_tags(struct kvm *kvm, + struct kvm_arm_copy_mte_tags *copy_tags) { gpa_t guest_ipa = copy_tags->guest_ipa; size_t length = copy_tags->length;