Received: by 10.213.65.68 with SMTP id h4csp655276imn; Tue, 27 Mar 2018 06:26:56 -0700 (PDT) X-Google-Smtp-Source: AG47ELu5GJFuAbZa94SVQx2kEFvTwgd4PgPHLQI891BoStxrSxh1Lw/ZOEOi2xA4zl/x/NT6/XnO X-Received: by 10.99.37.70 with SMTP id l67mr27799929pgl.106.1522157216799; Tue, 27 Mar 2018 06:26:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522157216; cv=none; d=google.com; s=arc-20160816; b=ZP2lGgLrulsVkTdPzo4cqyZAG8yFH8QRiwGQc1sNIS0R96BCft4V7ariyGftxoN/jE n5+PuWo4dMF/NVMxYLQyUQD9uIk255Ek0w5QsZrAazb004j1U8D2p4fVYvV97DHG3HRN pjELnHeNw2KOC+adQnPbraIHVb19HJBGSeMh890vxYGbYZPjvE+H9FFXyefa/21SDRmu +hv3lI2vIuNX9ncodRaNVhqpgvh2yQ/VhzeGYwNsovtq0PmOiNpsGgzC6Cgx65YAvRHM QKzMyi1eIBdwhaWmZxk2X2aOkONjCXIZsWgd6f+Wds/LqyNE9kR2qxP8E7wHvUUTMpAP 1LNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=6pk3dwV6IMSgmU+5yltCQNB5wpTKf2UcTDt8+/bfn5E=; b=n9dkYeclD+zfulRxCrhwFGhkUNw5HNtoAWXgHSs6ZjnGwT7mzEr7w8C0rHqd9lEJzl 2cw2QLArgZx1auSqvGeOerwLyh6ETYiAQ+76/nlPWPIu2rfrWJ9FiUPsXmxJXE3dy2KT tq+7hpfUQkaOK/+NXwzBU6rNMLoNCCcTyqyPH7DFyk4O7r9X1yRT13QI9DrcnngMQ5O2 Yrt9IeLfV9PNzVPXMZS/KmKuAG7w7/HARxhcDUCsm7qWvc0J5q4Y4gHoeI8ZCjnkD1yz mfIVLGbWedaZivxf8Pz/j96B6bVAafdON5Pp5R2goO8bCQA0E91hUMkEa0vw2Ynlrzpy 9Djw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p11-v6si1264940pll.308.2018.03.27.06.26.42; Tue, 27 Mar 2018 06:26:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752655AbeC0NQG (ORCPT + 99 others); Tue, 27 Mar 2018 09:16:06 -0400 Received: from foss.arm.com ([217.140.101.70]:54964 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752348AbeC0NQD (ORCPT ); Tue, 27 Mar 2018 09:16:03 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7210C1435; Tue, 27 Mar 2018 06:16:03 -0700 (PDT) Received: from en101.cambridge.arm.com (en101.cambridge.arm.com [10.1.206.73]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 5EFFA3F24A; Tue, 27 Mar 2018 06:16:00 -0700 (PDT) From: Suzuki K Poulose To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, cdall@kernel.org, marc.zyngier@arm.com, punit.agrawal@arm.com, will.deacon@arm.com, catalin.marinas@arm.com, pbonzini@redhat.com, rkrcmar@redhat.com, ard.biesheuvel@linaro.org, peter.maydell@linaro.org, kristina.martsenko@arm.com, mark.rutland@arm.com, Suzuki K Poulose , "Michael S. Tsirkin" , Jason Wang , Jean-Philippe Brucker Subject: [PATCH v2 01/17] virtio: mmio-v1: Validate queue PFN Date: Tue, 27 Mar 2018 14:15:11 +0100 Message-Id: <1522156531-28348-2-git-send-email-suzuki.poulose@arm.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1522156531-28348-1-git-send-email-suzuki.poulose@arm.com> References: <1522156531-28348-1-git-send-email-suzuki.poulose@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org virtio-mmio with virtio-v1 uses a 32bit PFN for the queue. If the queue pfn is too large to fit in 32bits, which we could hit on arm64 systems with 52bit physical addresses (even with 64K page size), we simply miss out a proper link to the other side of the queue. Add a check to validate the PFN, rather than silently breaking the devices. Cc: "Michael S. Tsirkin" Cc: Jason Wang Cc: Marc Zyngier Cc: Christoffer Dall Cc: Peter Maydel Cc: Jean-Philippe Brucker Signed-off-by: Suzuki K Poulose --- drivers/virtio/virtio_mmio.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c index 67763d3..b2f9b5c 100644 --- a/drivers/virtio/virtio_mmio.c +++ b/drivers/virtio/virtio_mmio.c @@ -397,9 +397,21 @@ static struct virtqueue *vm_setup_vq(struct virtio_device *vdev, unsigned index, /* Activate the queue */ writel(virtqueue_get_vring_size(vq), vm_dev->base + VIRTIO_MMIO_QUEUE_NUM); if (vm_dev->version == 1) { + u64 q_pfn = virtqueue_get_desc_addr(vq) >> PAGE_SHIFT; + + /* + * virtio-mmio v1 uses a 32bit QUEUE PFN. If we have something + * that doesn't fit in 32bit, fail the setup rather than + * pretending to be successful. + */ + if (q_pfn >> 32) { + dev_err(&vdev->dev, "virtio-mmio: queue address too large\n"); + err = -ENOMEM; + goto error_bad_pfn; + } + writel(PAGE_SIZE, vm_dev->base + VIRTIO_MMIO_QUEUE_ALIGN); - writel(virtqueue_get_desc_addr(vq) >> PAGE_SHIFT, - vm_dev->base + VIRTIO_MMIO_QUEUE_PFN); + writel(q_pfn, vm_dev->base + VIRTIO_MMIO_QUEUE_PFN); } else { u64 addr; @@ -430,6 +442,8 @@ static struct virtqueue *vm_setup_vq(struct virtio_device *vdev, unsigned index, return vq; +error_bad_pfn: + vring_del_virtqueue(vq); error_new_virtqueue: if (vm_dev->version == 1) { writel(0, vm_dev->base + VIRTIO_MMIO_QUEUE_PFN); -- 2.7.4