From: Laurent Vivier <lvivier@redhat.com>
To: David Gibson <david@gibson.dropbear.id.au>
Cc: passt-dev@passt.top
Subject: Re: [PATCH 1/5] packet: replace struct desc by struct iovec
Date: Thu, 4 Jul 2024 17:52:09 +0200 [thread overview]
Message-ID: <df783f29-ddea-472b-ae2d-ec2eb10b270f@redhat.com> (raw)
In-Reply-To: <Znjee-Qq8vtM3oCI@zatzit>
On 24/06/2024 04:48, David Gibson wrote:
> On Fri, Jun 21, 2024 at 04:56:36PM +0200, Laurent Vivier wrote:
>
> Needs a commit message.
>
>> Signed-off-by: Laurent Vivier <lvivier@redhat.com>
>> ---
>> packet.c | 75 +++++++++++++++++++++++++++++++-------------------------
>> packet.h | 14 ++---------
>> 2 files changed, 43 insertions(+), 46 deletions(-)
>>
>> diff --git a/packet.c b/packet.c
>> index ccfc84607709..af2a539a1794 100644
>> --- a/packet.c
>> +++ b/packet.c
...
>> + }
>> +
>> + if (start + len + offset > p->buf + p->buf_size) {
>
> Also pre-existing, but I wonder if we should check for overflow of
> (Start + len + offset).
Originally, I didn't want to change the existing behaviour. Only to move code, and to use
a common function for packet_add_do() and packet_get_do().
But if you think it should be better I can update the code for that:
>> + if (func) {
>> + trace("packet offset plus length %lu from size %lu, "
>> + "%s:%i", start - p->buf + len + offset,
>> + p->buf_size, func, line);
>> + }
>> + return -1;
>> + }
>> +
>> +#if UINTPTR_MAX == UINT64_MAX
>> + if ((uintptr_t)start - (uintptr_t)p->buf > UINT32_MAX) {
>
> I don't think this check is relevant any more if we're going to iovecs
> - this was just because the offset in struct desc was only 32-bit.
I agree.
>
>> + trace("add packet start %p, buffer start %p, %s:%i",
>> + (void *)start, (void *)p->buf, func, line);
>> + return -1;
>> + }
>> +#endif
>> +
>> + return 0;
>> +}
>> /**
>> * packet_add_do() - Add data as packet descriptor to given pool
>> * @p: Existing pool
>> @@ -41,34 +71,16 @@ void packet_add_do(struct pool *p, size_t len, const char *start,
>> return;
>> }
>>
>> - if (start < p->buf) {
>> - trace("add packet start %p before buffer start %p, %s:%i",
>> - (void *)start, (void *)p->buf, func, line);
>> + if (packet_check_range(p, 0, len, start, func, line))
>> return;
>> - }
>> -
>> - if (start + len > p->buf + p->buf_size) {
>> - trace("add packet start %p, length: %zu, buffer end %p, %s:%i",
>> - (void *)start, len, (void *)(p->buf + p->buf_size),
>> - func, line);
>> - return;
>> - }
>>
>> if (len > UINT16_MAX) {
>> trace("add packet length %zu, %s:%i", len, func, line);
>> return;
>> }
>>
>> -#if UINTPTR_MAX == UINT64_MAX
>> - if ((uintptr_t)start - (uintptr_t)p->buf > UINT32_MAX) {
>> - trace("add packet start %p, buffer start %p, %s:%i",
>> - (void *)start, (void *)p->buf, func, line);
>> - return;
>> - }
>> -#endif
>> -
>> - p->pkt[idx].offset = start - p->buf;
>> - p->pkt[idx].len = len;
>> + p->pkt[idx].iov_base = (void *)start;
>> + p->pkt[idx].iov_len = len;
>>
>> p->count++;
>> }
>> @@ -104,28 +116,23 @@ void *packet_get_do(const struct pool *p, size_t idx, size_t offset,
>> return NULL;
>> }
>>
>> - if (p->pkt[idx].offset + len + offset > p->buf_size) {
>> + if (len + offset > p->pkt[idx].iov_len) {
>> if (func) {
>> - trace("packet offset plus length %zu from size %zu, "
>> - "%s:%i", p->pkt[idx].offset + len + offset,
>> - p->buf_size, func, line);
>> + trace("data length %zu, offset %zu from length %zu, "
>> + "%s:%i", len, offset, p->pkt[idx].iov_len,
>> + func, line);
>
> I'm not sure either the old or new message is particularly descriptive
> here :/
I think the func and line parameters will help to understand the problem, and the others
why the trace is triggered.
>
>> }
>> return NULL;
>> }
>>
>> - if (len + offset > p->pkt[idx].len) {
>> - if (func) {
>> - trace("data length %zu, offset %zu from length %u, "
>> - "%s:%i", len, offset, p->pkt[idx].len,
>> - func, line);
>> - }
>> + if (packet_check_range(p, offset, len, p->pkt[idx].iov_base,
>> + func, line))
>
> Ah.. right.. in this case we certainly don't want ASSERT()s in
> packet_check_range(). Still wonder if that would make more sense for
> the packet add case, however.
>
> A couple of other points:
> * You've effectively switched the order of the two different tests here
> (one range checking against the entire buffer, one range checking
> against a single packet). Any reason for that?
The idea is to check the parameters are valid before checking the buffer is valid.
> * Do we actually need the entire-buffer check here on the _get()
> side? Isn't it enough to ensure that packets lie within the buffer
> when they're inserted? Pre-existing, again, AFAICT.
I wanted to keep the idea introduced in bb708111833e ("treewide: Packet abstraction with
mandatory boundary checks") and checking we don't read outside of the buffer.
Thanks,
Laurent
next prev parent reply other threads:[~2024-07-04 15:52 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-21 14:56 [PATCH 0/5] Add vhost-user support to passt. (part 3) Laurent Vivier
2024-06-21 14:56 ` [PATCH 1/5] packet: replace struct desc by struct iovec Laurent Vivier
2024-06-24 2:48 ` David Gibson
2024-07-04 15:52 ` Laurent Vivier [this message]
2024-07-05 1:28 ` David Gibson
2024-06-21 14:56 ` [PATCH 2/5] vhost-user: introduce virtio API Laurent Vivier
2024-06-24 2:56 ` David Gibson
2024-07-05 15:06 ` Laurent Vivier
2024-07-05 23:53 ` David Gibson
2024-06-21 14:56 ` [PATCH 3/5] vhost-user: introduce vhost-user API Laurent Vivier
2024-06-24 3:02 ` David Gibson
2024-07-11 12:07 ` Laurent Vivier
2024-06-21 14:56 ` [PATCH 4/5] iov: add iov_count() Laurent Vivier
2024-06-24 3:03 ` David Gibson
2024-06-24 6:59 ` Laurent Vivier
2024-06-21 14:56 ` [PATCH 5/5] vhost-user: add vhost-user Laurent Vivier
2024-06-24 5:05 ` David Gibson
2024-07-12 14:49 ` Laurent Vivier
2024-07-15 0:37 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df783f29-ddea-472b-ae2d-ec2eb10b270f@redhat.com \
--to=lvivier@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).