Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp788180ybj; Thu, 7 May 2020 07:40:07 -0700 (PDT) X-Google-Smtp-Source: APiQypKVlPHLvoE5V74g30c4T2iUW01vC/7iluh252CInKUms+ZlXi4/ODAkhCR/mvb9pgMOMObn X-Received: by 2002:a17:906:8611:: with SMTP id o17mr12149236ejx.221.1588862407043; Thu, 07 May 2020 07:40:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588862407; cv=none; d=google.com; s=arc-20160816; b=0bXLCQtK33+DrqQD9746V1+DonVfxq2YPtkWVqJE3Zry4WuLfsP+xd9oRGQJz953Xc 0GgqCHknXQ3N99tZZJciWl3esjFt1qbG5YeU0niQrHpNh8VjMHRTCHnZABPhvv4xQEY/ ESjk1TWtG34fKCdk/da8peKRTrZWDqKAwqQ0oNkczwobl3PNHFBWfw+5kZBgWgsGLxlN Neo7ykJdYq6RwLPdVrwEKNay/laJCwWT+hfbHnLsWOc80iPKCZMV6yB5N4m0ly293MZx 0bwW+mMTIf7OERu/vgYi4rvrWeZ6AFvs2l4AnQHSQ3cWVRFWeKw7pWxw2JF2S5fUCCmW q7jQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=rNRDaC+UdQks2H6+rNldn3TKiFwtNTKJwJNSWij0QXw=; b=kVsF6drjM4rnxrvdmfkwhauW9PJSsmM2Xb54+6sDOopaU02yRtGLycBYrvafg1qmBv MshkC5eHz776ldS84hlBmM49pulgAKkLz6FYhPHxpiEFS396OCnBt6i+qGFs7GLusb71 ps/tlLDflkwMxxMbzNnkFa31nWjedOIsyBwcrYXflRQU+jN4Unt4VwkNIlGpbKtwtXyR WKxpYXlUd9Gdns7bIIneyP6kTVyYK9YEWeCHGucmjoQ0n0GA9b9khAty2QanyXJJ2Gof ELH44VPEYKr0jSA4HQ6d0gh38yhEnldeggckkTe9cvDvSfGD53NadajduL+zmmZ4IWiX mw9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vpXQsIsr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d16si3426218ejb.187.2020.05.07.07.39.43; Thu, 07 May 2020 07:40:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vpXQsIsr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728493AbgEGOhu (ORCPT + 99 others); Thu, 7 May 2020 10:37:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:53788 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727795AbgEGO1v (ORCPT ); Thu, 7 May 2020 10:27:51 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC07920870; Thu, 7 May 2020 14:27:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588861670; bh=VSEFqWFJ30Jx4QBuBa34nYEd2ASRnuTWxnOnECO+R6c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vpXQsIsrozZRoFN111dqifr6OL3uTbGu+KFcGEkd/Na09vIOS2i3lzrlyWMSFrJtl fYxDwsw+fy/P3WfaY6MGVcTNkn5wmqrGKTRpjdtugSKk7y1bb1AzvsJfRqmTQCe/cC NlU5VJQwwT/SI3qMRCCkhz12c2h5u0K80brNrtQc= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Sean Christopherson , Alex Williamson , Sasha Levin , kvm@vger.kernel.org Subject: [PATCH AUTOSEL 5.6 19/50] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() Date: Thu, 7 May 2020 10:26:55 -0400 Message-Id: <20200507142726.25751-19-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200507142726.25751-1-sashal@kernel.org> References: <20200507142726.25751-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson [ Upstream commit 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d ] Use follow_pfn() to get the PFN of a PFNMAP VMA instead of assuming that vma->vm_pgoff holds the base PFN of the VMA. This fixes a bug where attempting to do VFIO_IOMMU_MAP_DMA on an arbitrary PFNMAP'd region of memory calculates garbage for the PFN. Hilariously, this only got detected because the first "PFN" calculated by vaddr_get_pfn() is PFN 0 (vma->vm_pgoff==0), and iommu_iova_to_phys() uses PA==0 as an error, which triggers a WARN in vfio_unmap_unpin() because the translation "failed". PFN 0 is now unconditionally reserved on x86 in order to mitigate L1TF, which causes is_invalid_reserved_pfn() to return true and in turns results in vaddr_get_pfn() returning success for PFN 0. Eventually the bogus calculation runs into PFNs that aren't reserved and leads to failure in vfio_pin_map_dma(). The subsequent call to vfio_remove_dma() attempts to unmap PFN 0 and WARNs. WARNING: CPU: 8 PID: 5130 at drivers/vfio/vfio_iommu_type1.c:750 vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1] Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio ... CPU: 8 PID: 5130 Comm: sgx Tainted: G W 5.6.0-rc5-705d787c7fee-vfio+ #3 Hardware name: Intel Corporation Mehlow UP Server Platform/Moss Beach Server, BIOS CNLSE2R1.D00.X119.B49.1803010910 03/01/2018 RIP: 0010:vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1] Code: <0f> 0b 49 81 c5 00 10 00 00 e9 c5 fe ff ff bb 00 10 00 00 e9 3d fe RSP: 0018:ffffbeb5039ebda8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff9a55cbf8d480 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a52b771c200 RBP: 0000000000000000 R08: 0000000000000040 R09: 00000000fffffff2 R10: 0000000000000001 R11: ffff9a51fa896000 R12: 0000000184010000 R13: 0000000184000000 R14: 0000000000010000 R15: ffff9a55cb66ea08 FS: 00007f15d3830b40(0000) GS:ffff9a55d5600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561cf39429e0 CR3: 000000084f75f005 CR4: 00000000003626e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: vfio_remove_dma+0x17/0x70 [vfio_iommu_type1] vfio_iommu_type1_ioctl+0x9e3/0xa7b [vfio_iommu_type1] ksys_ioctl+0x92/0xb0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x4c/0x180 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f15d04c75d7 Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48 Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation") Signed-off-by: Sean Christopherson Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin --- drivers/vfio/vfio_iommu_type1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c index ec9be79ba2d79..4315facf0243a 100644 --- a/drivers/vfio/vfio_iommu_type1.c +++ b/drivers/vfio/vfio_iommu_type1.c @@ -341,8 +341,8 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, vma = find_vma_intersection(mm, vaddr, vaddr + 1); if (vma && vma->vm_flags & VM_PFNMAP) { - *pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; - if (is_invalid_reserved_pfn(*pfn)) + if (!follow_pfn(vma, vaddr, pfn) && + is_invalid_reserved_pfn(*pfn)) ret = 0; } done: -- 2.20.1