diff options
author | Andres Beltran <lkmlabelt@gmail.com> | 2021-04-08 18:14:39 +0200 |
---|---|---|
committer | Wei Liu <wei.liu@kernel.org> | 2021-05-14 17:37:46 +0000 |
commit | adae1e931acd8b430d31141a283ea06d4b705417 (patch) | |
tree | 70799e7f212ce0f991b0a675625391b8adf606f3 /drivers/hv/channel.c | |
parent | 03b30cc38dd3c3521dafb1cb2ac4ecd8470bbf0a (diff) | |
download | lwn-adae1e931acd8b430d31141a283ea06d4b705417.tar.gz lwn-adae1e931acd8b430d31141a283ea06d4b705417.zip |
Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer
Pointers to ring-buffer packets sent by Hyper-V are used within the
guest VM. Hyper-V can send packets with erroneous values or modify
packet fields after they are processed by the guest. To defend
against these scenarios, return a copy of the incoming VMBus packet
after validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran <lkmlabelt@gmail.com>
Co-developed-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20210408161439.341988-1-parri.andrea@gmail.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Diffstat (limited to 'drivers/hv/channel.c')
-rw-r--r-- | drivers/hv/channel.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index c2635e913a92..bfbca4eeb773 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -662,12 +662,15 @@ static int __vmbus_open(struct vmbus_channel *newchannel, newchannel->onchannel_callback = onchannelcallback; newchannel->channel_callback_context = context; - err = hv_ringbuffer_init(&newchannel->outbound, page, send_pages); + if (!newchannel->max_pkt_size) + newchannel->max_pkt_size = VMBUS_DEFAULT_MAX_PKT_SIZE; + + err = hv_ringbuffer_init(&newchannel->outbound, page, send_pages, 0); if (err) goto error_clean_ring; - err = hv_ringbuffer_init(&newchannel->inbound, - &page[send_pages], recv_pages); + err = hv_ringbuffer_init(&newchannel->inbound, &page[send_pages], + recv_pages, newchannel->max_pkt_size); if (err) goto error_clean_ring; |