Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1187227pxb;
        Fri, 13 Nov 2020 06:30:11 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxWIkl5xMtc/JTwYRM+oM2Bcwa6vxihT2CEDnWsHCEnpWH7HmfaFaZF3xB5DO+yGqnbYjgH
X-Received: by 2002:a17:906:1381:: with SMTP id f1mr2147189ejc.87.1605277811386;
        Fri, 13 Nov 2020 06:30:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605277811; cv=none;
        d=google.com; s=arc-20160816;
        b=x5+G3qafUtlPWrFgmICcwvKEZ8DugcVYMcXbIDBieDx95WlfDrus/B2F+oz4XLCWVJ
         3mH0hi7+rGxp0X7c4fGLbL14K1FcKkJfAeYrKVIpG/OdggFq3Ewy1itPzQBXMDCo2Z8L
         wc4NRy55cGDbBNyhJoxlWDPstRLu1kvHgd6mhfLqgdVy1sXZqT1uNKFu2Je9rSqxLGnQ
         86uur/JyqCZQ0qlq0+RWpVmPPoZQNxQ+0NQNhuHg1c5Tqwa5O1HZ9CSBBHaAjRM1Um1W
         tlku1LWzSVvVP96pxCxdMOc+tc/8tp6/gITzlkRdVVNt95FfjZ4G9oJ1+YjY9/njHVy2
         U8mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=GSTRTdZhOxmMosHA6V+qUocnoWBjz93jnTGWfdqeenQ=;
        b=qRycmGZKqnRnyNMQDMYrHIrCpr/uusUd2s8vFGU6Cy54zlICzpPXifdQuSXNGIw9cJ
         2w8PQ8gmQYhTO3Mn6i4olk2TmxdnbIjt3Sxes50YkG+IGeYj6xeOgVA0W+YaY+F5HXqf
         8aCiF39Sep2eF/NolIej7qds5wG8WnDfyw3UjhofPdSzb6Bo3YUBNb34eZgkGiaKb1+F
         7Q9Z7mIBg2B7EObyfwZRlrBx3dFPdOBGqAIbwV8k2JAwZCUcp7E+jtEaUREbfjEbNWrS
         1z/L5VXStP5wUvGRw5c04//tf2VS/jc1GuV5sD1DxLpN6f5pIzxVQ1zXr5f7YzuUyvOr
         IS6w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r22si6447894edw.453.2020.11.13.06.29.46;
        Fri, 13 Nov 2020 06:30:11 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726560AbgKMO21 (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Fri, 13 Nov 2020 09:28:27 -0500
Received: from szxga04-in.huawei.com ([45.249.212.190]:7233 "EHLO
        szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726465AbgKMO20 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Nov 2020 09:28:26 -0500
Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.60])
        by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4CXgmp1RSpzkhGF;
        Fri, 13 Nov 2020 22:28:10 +0800 (CST)
Received: from DESKTOP-8RFUVS3.china.huawei.com (10.174.185.179) by
 DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id
 14.3.487.0; Fri, 13 Nov 2020 22:28:14 +0800
From:   Zenghui Yu <yuzenghui@huawei.com>
To:     <kvmarm@lists.cs.columbia.edu>, <maz@kernel.org>
CC:     <linux-arm-kernel@lists.infradead.org>,
        <linux-kernel@vger.kernel.org>, <eric.auger@redhat.com>,
        <james.morse@arm.com>, <julien.thierry.kdev@gmail.com>,
        <suzuki.poulose@arm.com>, <wanghaibin.wang@huawei.com>,
        Zenghui Yu <yuzenghui@huawei.com>,
        Keqian Zhu <zhukeqian1@huawei.com>
Subject: [PATCH 1/2] KVM: arm64: vgic: Forbid invalid userspace Redistributor accesses
Date:   Fri, 13 Nov 2020 22:28:00 +0800
Message-ID: <20201113142801.1659-2-yuzenghui@huawei.com>
X-Mailer: git-send-email 2.23.0.windows.1
In-Reply-To: <20201113142801.1659-1-yuzenghui@huawei.com>
References: <20201113142801.1659-1-yuzenghui@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.174.185.179]
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

It's expected that users will access registers in the redistributor *if*
the RD has been initialized properly. Unfortunately userspace can be bogus
enough to access registers before setting the RD base address, and KVM
implicitly allows it (we handle the access anyway, regardless of whether
the base address is set).

Bad thing happens when we're handling the user read of GICR_TYPER. We end
up with an oops when deferencing the unset rdreg...

	gpa_t last_rdist_typer = rdreg->base + GICR_TYPER +
			(rdreg->free_index - 1) * KVM_VGIC_V3_REDIST_SIZE;

Fix this issue by informing userspace what had gone wrong (-ENXIO).

Reported-by: Keqian Zhu <zhukeqian1@huawei.com>
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
---
 arch/arm64/kvm/vgic/vgic-mmio-v3.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm64/kvm/vgic/vgic-mmio-v3.c b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
index 52d6f24f65dc..30e370585a27 100644
--- a/arch/arm64/kvm/vgic/vgic-mmio-v3.c
+++ b/arch/arm64/kvm/vgic/vgic-mmio-v3.c
@@ -1040,11 +1040,15 @@ int vgic_v3_dist_uaccess(struct kvm_vcpu *vcpu, bool is_write,
 int vgic_v3_redist_uaccess(struct kvm_vcpu *vcpu, bool is_write,
 			   int offset, u32 *val)
 {
+	struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
 	struct vgic_io_device rd_dev = {
 		.regions = vgic_v3_rd_registers,
 		.nr_regions = ARRAY_SIZE(vgic_v3_rd_registers),
 	};
 
+	if (IS_VGIC_ADDR_UNDEF(vgic_cpu->rd_iodev.base_addr))
+		return -ENXIO;
+
 	return vgic_uaccess(vcpu, &rd_dev, is_write, offset, val);
 }
 
-- 
2.19.1