Hi Michael,
I'm a bit confused about why ubuf_info and heads are UIO_MAXIOV
length arrays, rather than being the size of the ring? In particular,
this is suspicious:
linux/drivers/vhost/net.c:342: struct ubuf_info *ubuf = &vq->ubuf_info[head];
And it seems to assume we trust head: a malicious guest could put the
same head entry in the ring twice, and we will get two callbacks on the
same value. I don't know what that will do, but I'm not sure it's
harmless.
Thanks,
Rusty.
_______________________________________________
Virtualization mailing list
[email protected]
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
