Commit 8e5dadfe authored by Bijan Mottahedeh's avatar Bijan Mottahedeh Committed by Michael S. Tsirkin

vhost/scsi: Use copy_to_iter() to send control queue response

Uses copy_to_iter() instead of __copy_to_user() in order to ensure we
support arbitrary layouts and an input buffer split across iov entries.

Fixes: 0d02dbd6 ("vhost/scsi: Respond to control queue operations")
Signed-off-by: default avatarBijan Mottahedeh <bijan.mottahedeh@oracle.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
parent 74ad7419
...@@ -1127,16 +1127,18 @@ vhost_scsi_send_tmf_reject(struct vhost_scsi *vs, ...@@ -1127,16 +1127,18 @@ vhost_scsi_send_tmf_reject(struct vhost_scsi *vs,
struct vhost_virtqueue *vq, struct vhost_virtqueue *vq,
struct vhost_scsi_ctx *vc) struct vhost_scsi_ctx *vc)
{ {
struct virtio_scsi_ctrl_tmf_resp __user *resp;
struct virtio_scsi_ctrl_tmf_resp rsp; struct virtio_scsi_ctrl_tmf_resp rsp;
struct iov_iter iov_iter;
int ret; int ret;
pr_debug("%s\n", __func__); pr_debug("%s\n", __func__);
memset(&rsp, 0, sizeof(rsp)); memset(&rsp, 0, sizeof(rsp));
rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED; rsp.response = VIRTIO_SCSI_S_FUNCTION_REJECTED;
resp = vq->iov[vc->out].iov_base;
ret = __copy_to_user(resp, &rsp, sizeof(rsp)); iov_iter_init(&iov_iter, READ, &vq->iov[vc->out], vc->in, sizeof(rsp));
if (!ret)
ret = copy_to_iter(&rsp, sizeof(rsp), &iov_iter);
if (likely(ret == sizeof(rsp)))
vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0); vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0);
else else
pr_err("Faulted on virtio_scsi_ctrl_tmf_resp\n"); pr_err("Faulted on virtio_scsi_ctrl_tmf_resp\n");
...@@ -1147,16 +1149,18 @@ vhost_scsi_send_an_resp(struct vhost_scsi *vs, ...@@ -1147,16 +1149,18 @@ vhost_scsi_send_an_resp(struct vhost_scsi *vs,
struct vhost_virtqueue *vq, struct vhost_virtqueue *vq,
struct vhost_scsi_ctx *vc) struct vhost_scsi_ctx *vc)
{ {
struct virtio_scsi_ctrl_an_resp __user *resp;
struct virtio_scsi_ctrl_an_resp rsp; struct virtio_scsi_ctrl_an_resp rsp;
struct iov_iter iov_iter;
int ret; int ret;
pr_debug("%s\n", __func__); pr_debug("%s\n", __func__);
memset(&rsp, 0, sizeof(rsp)); /* event_actual = 0 */ memset(&rsp, 0, sizeof(rsp)); /* event_actual = 0 */
rsp.response = VIRTIO_SCSI_S_OK; rsp.response = VIRTIO_SCSI_S_OK;
resp = vq->iov[vc->out].iov_base;
ret = __copy_to_user(resp, &rsp, sizeof(rsp)); iov_iter_init(&iov_iter, READ, &vq->iov[vc->out], vc->in, sizeof(rsp));
if (!ret)
ret = copy_to_iter(&rsp, sizeof(rsp), &iov_iter);
if (likely(ret == sizeof(rsp)))
vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0); vhost_add_used_and_signal(&vs->dev, vq, vc->head, 0);
else else
pr_err("Faulted on virtio_scsi_ctrl_an_resp\n"); pr_err("Faulted on virtio_scsi_ctrl_an_resp\n");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment