| From foo@baz Wed Apr 11 10:26:56 CEST 2018 |
| From: Jason Wang <jasowang@redhat.com> |
| Date: Thu, 29 Mar 2018 16:00:04 +0800 |
| Subject: vhost: validate log when IOTLB is enabled |
| |
| From: Jason Wang <jasowang@redhat.com> |
| |
| |
| [ Upstream commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ] |
| |
| Vq log_base is the userspace address of bitmap which has nothing to do |
| with IOTLB. So it needs to be validated unconditionally otherwise we |
| may try use 0 as log_base which may lead to pin pages that will lead |
| unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). |
| |
| Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API") |
| Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com |
| Signed-off-by: Jason Wang <jasowang@redhat.com> |
| Acked-by: Michael S. Tsirkin <mst@redhat.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/vhost/vhost.c | 14 ++++++-------- |
| 1 file changed, 6 insertions(+), 8 deletions(-) |
| |
| --- a/drivers/vhost/vhost.c |
| +++ b/drivers/vhost/vhost.c |
| @@ -1175,14 +1175,12 @@ static int vq_log_access_ok(struct vhost |
| /* Caller should have vq mutex and device mutex */ |
| int vhost_vq_access_ok(struct vhost_virtqueue *vq) |
| { |
| - if (vq->iotlb) { |
| - /* When device IOTLB was used, the access validation |
| - * will be validated during prefetching. |
| - */ |
| - return 1; |
| - } |
| - return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used) && |
| - vq_log_access_ok(vq, vq->log_base); |
| + int ret = vq_log_access_ok(vq, vq->log_base); |
| + |
| + if (ret || vq->iotlb) |
| + return ret; |
| + |
| + return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used); |
| } |
| EXPORT_SYMBOL_GPL(vhost_vq_access_ok); |
| |
