RE: [PATCH v3 09/17] iommufd: Add IOMMU_HWPT_INVALIDATE

From: Liu, Yi L
Date: Wed Aug 02 2023 - 22:56:37 EST


> From: Jason Gunthorpe <jgg@xxxxxxxxxx>
> Sent: Monday, July 31, 2023 9:19 PM
>
> On Mon, Jul 31, 2023 at 10:07:32AM +0000, Liu, Yi L wrote:
> > > > + goto out_put_hwpt;
> > > > + }
> > > > +
> > > > + /*
> > > > + * Copy the needed fields before reusing the ucmd buffer, this
> > > > + * avoids memory allocation in this path.
> > > > + */
> > > > + user_ptr = cmd->data_uptr;
> > > > + user_data_len = cmd->data_len;
> > >
> > > Uhh, who checks that klen < the temporary stack struct?
> >
> > Take vtd as an example. The invalidate structure is struct
> iommu_hwpt_vtd_s1_invalidate[1].
> > The klen is sizeof(struct iommu_hwpt_vtd_s1_invalidate)[2].
> iommu_hwpt_vtd_s1_invalidate
> > is also placed in the temporary stack struct (actually it is a union)[1]. So the klen should
> > be <= temporary stack.
>
> Ohh, I think I would add a few comments noting that the invalidate
> structs need to be added to that union. Easy to miss.

Sure. Actually, there are some description as below in patch [1]. Would
add some as well here.

"Cache invalidation path is performance path, so it's better to avoid
memory allocation in such path. To achieve it, this path reuses the
ucmd_buffer to copy user data. So the new data structures are added in
the ucmd_buffer union to avoid overflow."

[1] https://lore.kernel.org/linux-iommu/20230724111335.107427-8-yi.l.liu@xxxxxxxxx/

> > It's not so explicit though. Perhaps worth to have a check like below in this patch?
> >
> > if (unlikely(klen > sizeof(union ucmd_buffer)))
> > return -EINVAL;
>
> Yes, stick this in the domain allocate path with a WARN_ON. The driver
> is broken to allocate a domain with an invalid size.

Ok. so if any mistake on the data structure, the allocation fails in the first place.

Regards,
Yi Liu