Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp662187imm; Fri, 29 Jun 2018 04:25:47 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKKmGJDvRYMZPy0mqxSR2HieXpE3/n39bLaP4UZx5kmcalgPzproUQUieLd4J3MLw3aFqLS X-Received: by 2002:a63:af14:: with SMTP id w20-v6mr12604332pge.47.1530271547171; Fri, 29 Jun 2018 04:25:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530271547; cv=none; d=google.com; s=arc-20160816; b=rnbVvu/sroUCoKBJMXZeqxEntWoQzsXKDogh8SO7KNNNG7RwyF5iLlzBZiPAdDFbqw adNk4T4kEyUAQBTK+s00jwVvisMHlJu8VcMMjxlCnMA0d+V9ZbJAqk3vdRqvGn+roDpo In5uGeV0I5DiYCIQbwwiTWVKUpjAhN7S1dD/bKIVvGCpssW4V+pVx2GMU306v1reORTs ZnF53xXiJJVuDM2uFXDXlv/P+IjcVueld1YKcQXo0yfKt68+nSDiEevdlar1HfCizMPh 4dzyPjubpNEGTOs5F48Bf7KNGYAcKlvVngK7CLY4iGs+xo8m48UvIOl+EWibknEg52Jd 5T8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=TYvMVkILc/9aSpaDPxp4x4EGOmbSYePryGi23lUbwag=; b=IGhuixLQ4diGmvacUCUmRTUEVSRsLQiZzaR1TvYzcz+kPjtuSOrhhU8LrCGkWwS4gO uAFV9/p6ttAReM30/OYiXjhyLim7pWog4OZutidYAxySDj3psue/5Gba/DAwrMtyLTSb FpGwxgkHOCOI+ORGLOg0DEnKDL/7/6w9Jap837/HCpkNbkSiAOTtxRuviBZ6tj9ZdW0P Kujz0S0Ru43d+v27xUIycW4AegNdwADe/mAFt3RhVupxYIiYNQo3f5iXgNaaM96OtL9a IIJFk3J5QxfZYEW1RJReFP7APAfNmYcs2GrdSdeINpu/HzX3CQ7T3HlfHokuc+hzUaN8 0eGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e72-v6si8527132pfl.132.2018.06.29.04.25.32; Fri, 29 Jun 2018 04:25:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755205AbeF2LQY (ORCPT + 99 others); Fri, 29 Jun 2018 07:16:24 -0400 Received: from foss.arm.com ([217.140.101.70]:60042 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755161AbeF2LQT (ORCPT ); Fri, 29 Jun 2018 07:16:19 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3114615AD; Fri, 29 Jun 2018 04:16:19 -0700 (PDT) Received: from en101.cambridge.arm.com (en101.cambridge.arm.com [10.1.206.73]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 411A03F266; Fri, 29 Jun 2018 04:16:16 -0700 (PDT) From: Suzuki K Poulose To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu, james.morse@arm.com, marc.zyngier@arm.com, cdall@kernel.org, eric.auger@redhat.com, julien.grall@arm.com, will.deacon@arm.com, catalin.marinas@arm.com, punit.agrawal@arm.com, qemu-devel@nongnu.org, Suzuki K Poulose , "Michael S. Tsirkin" , Jason Wang , Peter Maydel , Jean-Philippe Brucker Subject: [PATCH v3 02/20] virtio: pci-legacy: Validate queue pfn Date: Fri, 29 Jun 2018 12:15:22 +0100 Message-Id: <1530270944-11351-3-git-send-email-suzuki.poulose@arm.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1530270944-11351-1-git-send-email-suzuki.poulose@arm.com> References: <1530270944-11351-1-git-send-email-suzuki.poulose@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Legacy PCI over virtio uses a 32bit PFN for the queue. If the queue pfn is too large to fit in 32bits, which we could hit on arm64 systems with 52bit physical addresses (even with 64K page size), we simply miss out a proper link to the other side of the queue. Add a check to validate the PFN, rather than silently breaking the devices. Cc: "Michael S. Tsirkin" Cc: Jason Wang Cc: Marc Zyngier Cc: Christoffer Dall Cc: Peter Maydel Cc: Jean-Philippe Brucker Signed-off-by: Suzuki K Poulose --- Changes since v2: - Change errno to -E2BIG --- drivers/virtio/virtio_pci_legacy.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/virtio/virtio_pci_legacy.c b/drivers/virtio/virtio_pci_legacy.c index 2780886..c0d6987a 100644 --- a/drivers/virtio/virtio_pci_legacy.c +++ b/drivers/virtio/virtio_pci_legacy.c @@ -122,6 +122,7 @@ static struct virtqueue *setup_vq(struct virtio_pci_device *vp_dev, struct virtqueue *vq; u16 num; int err; + u64 q_pfn; /* Select the queue we're interested in */ iowrite16(index, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_SEL); @@ -141,9 +142,15 @@ static struct virtqueue *setup_vq(struct virtio_pci_device *vp_dev, if (!vq) return ERR_PTR(-ENOMEM); + q_pfn = virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT; + if (q_pfn >> 32) { + dev_err(&vp_dev->pci_dev->dev, "virtio-pci queue PFN too large\n"); + err = -E2BIG; + goto out_del_vq; + } + /* activate the queue */ - iowrite32(virtqueue_get_desc_addr(vq) >> VIRTIO_PCI_QUEUE_ADDR_SHIFT, - vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN); + iowrite32(q_pfn, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN); vq->priv = (void __force *)vp_dev->ioaddr + VIRTIO_PCI_QUEUE_NOTIFY; @@ -160,6 +167,7 @@ static struct virtqueue *setup_vq(struct virtio_pci_device *vp_dev, out_deactivate: iowrite32(0, vp_dev->ioaddr + VIRTIO_PCI_QUEUE_PFN); +out_del_vq: vring_del_virtqueue(vq); return ERR_PTR(err); } -- 2.7.4