aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/vhost/vhost.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/vhost/vhost.c')
-rw-r--r--drivers/vhost/vhost.c86
1 files changed, 44 insertions, 42 deletions
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 3b83382e06eb..0b99783083f6 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -736,12 +736,12 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len,
736 mem = rcu_dereference(dev->memory); 736 mem = rcu_dereference(dev->memory);
737 while ((u64)len > s) { 737 while ((u64)len > s) {
738 u64 size; 738 u64 size;
739 if (ret >= iov_size) { 739 if (unlikely(ret >= iov_size)) {
740 ret = -ENOBUFS; 740 ret = -ENOBUFS;
741 break; 741 break;
742 } 742 }
743 reg = find_region(mem, addr, len); 743 reg = find_region(mem, addr, len);
744 if (!reg) { 744 if (unlikely(!reg)) {
745 ret = -EFAULT; 745 ret = -EFAULT;
746 break; 746 break;
747 } 747 }
@@ -780,18 +780,18 @@ static unsigned next_desc(struct vring_desc *desc)
780 return next; 780 return next;
781} 781}
782 782
783static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq, 783static int get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
784 struct iovec iov[], unsigned int iov_size, 784 struct iovec iov[], unsigned int iov_size,
785 unsigned int *out_num, unsigned int *in_num, 785 unsigned int *out_num, unsigned int *in_num,
786 struct vhost_log *log, unsigned int *log_num, 786 struct vhost_log *log, unsigned int *log_num,
787 struct vring_desc *indirect) 787 struct vring_desc *indirect)
788{ 788{
789 struct vring_desc desc; 789 struct vring_desc desc;
790 unsigned int i = 0, count, found = 0; 790 unsigned int i = 0, count, found = 0;
791 int ret; 791 int ret;
792 792
793 /* Sanity check */ 793 /* Sanity check */
794 if (indirect->len % sizeof desc) { 794 if (unlikely(indirect->len % sizeof desc)) {
795 vq_err(vq, "Invalid length in indirect descriptor: " 795 vq_err(vq, "Invalid length in indirect descriptor: "
796 "len 0x%llx not multiple of 0x%zx\n", 796 "len 0x%llx not multiple of 0x%zx\n",
797 (unsigned long long)indirect->len, 797 (unsigned long long)indirect->len,
@@ -801,7 +801,7 @@ static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
801 801
802 ret = translate_desc(dev, indirect->addr, indirect->len, vq->indirect, 802 ret = translate_desc(dev, indirect->addr, indirect->len, vq->indirect,
803 ARRAY_SIZE(vq->indirect)); 803 ARRAY_SIZE(vq->indirect));
804 if (ret < 0) { 804 if (unlikely(ret < 0)) {
805 vq_err(vq, "Translation failure %d in indirect.\n", ret); 805 vq_err(vq, "Translation failure %d in indirect.\n", ret);
806 return ret; 806 return ret;
807 } 807 }
@@ -813,7 +813,7 @@ static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
813 count = indirect->len / sizeof desc; 813 count = indirect->len / sizeof desc;
814 /* Buffers are chained via a 16 bit next field, so 814 /* Buffers are chained via a 16 bit next field, so
815 * we can have at most 2^16 of these. */ 815 * we can have at most 2^16 of these. */
816 if (count > USHRT_MAX + 1) { 816 if (unlikely(count > USHRT_MAX + 1)) {
817 vq_err(vq, "Indirect buffer length too big: %d\n", 817 vq_err(vq, "Indirect buffer length too big: %d\n",
818 indirect->len); 818 indirect->len);
819 return -E2BIG; 819 return -E2BIG;
@@ -821,19 +821,19 @@ static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
821 821
822 do { 822 do {
823 unsigned iov_count = *in_num + *out_num; 823 unsigned iov_count = *in_num + *out_num;
824 if (++found > count) { 824 if (unlikely(++found > count)) {
825 vq_err(vq, "Loop detected: last one at %u " 825 vq_err(vq, "Loop detected: last one at %u "
826 "indirect size %u\n", 826 "indirect size %u\n",
827 i, count); 827 i, count);
828 return -EINVAL; 828 return -EINVAL;
829 } 829 }
830 if (memcpy_fromiovec((unsigned char *)&desc, vq->indirect, 830 if (unlikely(memcpy_fromiovec((unsigned char *)&desc, vq->indirect,
831 sizeof desc)) { 831 sizeof desc))) {
832 vq_err(vq, "Failed indirect descriptor: idx %d, %zx\n", 832 vq_err(vq, "Failed indirect descriptor: idx %d, %zx\n",
833 i, (size_t)indirect->addr + i * sizeof desc); 833 i, (size_t)indirect->addr + i * sizeof desc);
834 return -EINVAL; 834 return -EINVAL;
835 } 835 }
836 if (desc.flags & VRING_DESC_F_INDIRECT) { 836 if (unlikely(desc.flags & VRING_DESC_F_INDIRECT)) {
837 vq_err(vq, "Nested indirect descriptor: idx %d, %zx\n", 837 vq_err(vq, "Nested indirect descriptor: idx %d, %zx\n",
838 i, (size_t)indirect->addr + i * sizeof desc); 838 i, (size_t)indirect->addr + i * sizeof desc);
839 return -EINVAL; 839 return -EINVAL;
@@ -841,7 +841,7 @@ static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
841 841
842 ret = translate_desc(dev, desc.addr, desc.len, iov + iov_count, 842 ret = translate_desc(dev, desc.addr, desc.len, iov + iov_count,
843 iov_size - iov_count); 843 iov_size - iov_count);
844 if (ret < 0) { 844 if (unlikely(ret < 0)) {
845 vq_err(vq, "Translation failure %d indirect idx %d\n", 845 vq_err(vq, "Translation failure %d indirect idx %d\n",
846 ret, i); 846 ret, i);
847 return ret; 847 return ret;
@@ -857,7 +857,7 @@ static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
857 } else { 857 } else {
858 /* If it's an output descriptor, they're all supposed 858 /* If it's an output descriptor, they're all supposed
859 * to come before any input descriptors. */ 859 * to come before any input descriptors. */
860 if (*in_num) { 860 if (unlikely(*in_num)) {
861 vq_err(vq, "Indirect descriptor " 861 vq_err(vq, "Indirect descriptor "
862 "has out after in: idx %d\n", i); 862 "has out after in: idx %d\n", i);
863 return -EINVAL; 863 return -EINVAL;
@@ -873,12 +873,13 @@ static unsigned get_indirect(struct vhost_dev *dev, struct vhost_virtqueue *vq,
873 * number of output then some number of input descriptors, it's actually two 873 * number of output then some number of input descriptors, it's actually two
874 * iovecs, but we pack them into one and note how many of each there were. 874 * iovecs, but we pack them into one and note how many of each there were.
875 * 875 *
876 * This function returns the descriptor number found, or vq->num (which 876 * This function returns the descriptor number found, or vq->num (which is
877 * is never a valid descriptor number) if none was found. */ 877 * never a valid descriptor number) if none was found. A negative code is
878unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq, 878 * returned on error. */
879 struct iovec iov[], unsigned int iov_size, 879int vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq,
880 unsigned int *out_num, unsigned int *in_num, 880 struct iovec iov[], unsigned int iov_size,
881 struct vhost_log *log, unsigned int *log_num) 881 unsigned int *out_num, unsigned int *in_num,
882 struct vhost_log *log, unsigned int *log_num)
882{ 883{
883 struct vring_desc desc; 884 struct vring_desc desc;
884 unsigned int i, head, found = 0; 885 unsigned int i, head, found = 0;
@@ -887,16 +888,16 @@ unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq,
887 888
888 /* Check it isn't doing very strange things with descriptor numbers. */ 889 /* Check it isn't doing very strange things with descriptor numbers. */
889 last_avail_idx = vq->last_avail_idx; 890 last_avail_idx = vq->last_avail_idx;
890 if (get_user(vq->avail_idx, &vq->avail->idx)) { 891 if (unlikely(get_user(vq->avail_idx, &vq->avail->idx))) {
891 vq_err(vq, "Failed to access avail idx at %p\n", 892 vq_err(vq, "Failed to access avail idx at %p\n",
892 &vq->avail->idx); 893 &vq->avail->idx);
893 return vq->num; 894 return -EFAULT;
894 } 895 }
895 896
896 if ((u16)(vq->avail_idx - last_avail_idx) > vq->num) { 897 if (unlikely((u16)(vq->avail_idx - last_avail_idx) > vq->num)) {
897 vq_err(vq, "Guest moved used index from %u to %u", 898 vq_err(vq, "Guest moved used index from %u to %u",
898 last_avail_idx, vq->avail_idx); 899 last_avail_idx, vq->avail_idx);
899 return vq->num; 900 return -EFAULT;
900 } 901 }
901 902
902 /* If there's nothing new since last we looked, return invalid. */ 903 /* If there's nothing new since last we looked, return invalid. */
@@ -908,18 +909,19 @@ unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq,
908 909
909 /* Grab the next descriptor number they're advertising, and increment 910 /* Grab the next descriptor number they're advertising, and increment
910 * the index we've seen. */ 911 * the index we've seen. */
911 if (get_user(head, &vq->avail->ring[last_avail_idx % vq->num])) { 912 if (unlikely(get_user(head,
913 &vq->avail->ring[last_avail_idx % vq->num]))) {
912 vq_err(vq, "Failed to read head: idx %d address %p\n", 914 vq_err(vq, "Failed to read head: idx %d address %p\n",
913 last_avail_idx, 915 last_avail_idx,
914 &vq->avail->ring[last_avail_idx % vq->num]); 916 &vq->avail->ring[last_avail_idx % vq->num]);
915 return vq->num; 917 return -EFAULT;
916 } 918 }
917 919
918 /* If their number is silly, that's an error. */ 920 /* If their number is silly, that's an error. */
919 if (head >= vq->num) { 921 if (unlikely(head >= vq->num)) {
920 vq_err(vq, "Guest says index %u > %u is available", 922 vq_err(vq, "Guest says index %u > %u is available",
921 head, vq->num); 923 head, vq->num);
922 return vq->num; 924 return -EINVAL;
923 } 925 }
924 926
925 /* When we start there are none of either input nor output. */ 927 /* When we start there are none of either input nor output. */
@@ -930,41 +932,41 @@ unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq,
930 i = head; 932 i = head;
931 do { 933 do {
932 unsigned iov_count = *in_num + *out_num; 934 unsigned iov_count = *in_num + *out_num;
933 if (i >= vq->num) { 935 if (unlikely(i >= vq->num)) {
934 vq_err(vq, "Desc index is %u > %u, head = %u", 936 vq_err(vq, "Desc index is %u > %u, head = %u",
935 i, vq->num, head); 937 i, vq->num, head);
936 return vq->num; 938 return -EINVAL;
937 } 939 }
938 if (++found > vq->num) { 940 if (unlikely(++found > vq->num)) {
939 vq_err(vq, "Loop detected: last one at %u " 941 vq_err(vq, "Loop detected: last one at %u "
940 "vq size %u head %u\n", 942 "vq size %u head %u\n",
941 i, vq->num, head); 943 i, vq->num, head);
942 return vq->num; 944 return -EINVAL;
943 } 945 }
944 ret = copy_from_user(&desc, vq->desc + i, sizeof desc); 946 ret = copy_from_user(&desc, vq->desc + i, sizeof desc);
945 if (ret) { 947 if (unlikely(ret)) {
946 vq_err(vq, "Failed to get descriptor: idx %d addr %p\n", 948 vq_err(vq, "Failed to get descriptor: idx %d addr %p\n",
947 i, vq->desc + i); 949 i, vq->desc + i);
948 return vq->num; 950 return -EFAULT;
949 } 951 }
950 if (desc.flags & VRING_DESC_F_INDIRECT) { 952 if (desc.flags & VRING_DESC_F_INDIRECT) {
951 ret = get_indirect(dev, vq, iov, iov_size, 953 ret = get_indirect(dev, vq, iov, iov_size,
952 out_num, in_num, 954 out_num, in_num,
953 log, log_num, &desc); 955 log, log_num, &desc);
954 if (ret < 0) { 956 if (unlikely(ret < 0)) {
955 vq_err(vq, "Failure detected " 957 vq_err(vq, "Failure detected "
956 "in indirect descriptor at idx %d\n", i); 958 "in indirect descriptor at idx %d\n", i);
957 return vq->num; 959 return ret;
958 } 960 }
959 continue; 961 continue;
960 } 962 }
961 963
962 ret = translate_desc(dev, desc.addr, desc.len, iov + iov_count, 964 ret = translate_desc(dev, desc.addr, desc.len, iov + iov_count,
963 iov_size - iov_count); 965 iov_size - iov_count);
964 if (ret < 0) { 966 if (unlikely(ret < 0)) {
965 vq_err(vq, "Translation failure %d descriptor idx %d\n", 967 vq_err(vq, "Translation failure %d descriptor idx %d\n",
966 ret, i); 968 ret, i);
967 return vq->num; 969 return ret;
968 } 970 }
969 if (desc.flags & VRING_DESC_F_WRITE) { 971 if (desc.flags & VRING_DESC_F_WRITE) {
970 /* If this is an input descriptor, 972 /* If this is an input descriptor,
@@ -978,10 +980,10 @@ unsigned vhost_get_vq_desc(struct vhost_dev *dev, struct vhost_virtqueue *vq,
978 } else { 980 } else {
979 /* If it's an output descriptor, they're all supposed 981 /* If it's an output descriptor, they're all supposed
980 * to come before any input descriptors. */ 982 * to come before any input descriptors. */
981 if (*in_num) { 983 if (unlikely(*in_num)) {
982 vq_err(vq, "Descriptor has out after in: " 984 vq_err(vq, "Descriptor has out after in: "
983 "idx %d\n", i); 985 "idx %d\n", i);
984 return vq->num; 986 return -EINVAL;
985 } 987 }
986 *out_num += ret; 988 *out_num += ret;
987 } 989 }