Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1000486pxj;
        Wed, 2 Jun 2021 17:44:58 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwfx8Vdv3FgejATXnGR2kW17Rv7pSgkjMtA4+y/7gxaLTBy8wAhEoWfvRaSrTeq47eYiIPg
X-Received: by 2002:a05:6402:50c6:: with SMTP id h6mr7579771edb.224.1622681097933;
        Wed, 02 Jun 2021 17:44:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622681097; cv=none;
        d=google.com; s=arc-20160816;
        b=ockvsXHqEps+KVO4pFn4el3g317EJMo5f7lTfQoW7iCVQxSr+LEbUkZMyjNVp34l2R
         0EWB8ddhj+zN2nWFLklv8YxlyvGc47ATKd2YRBkKZrrauP1jnT7eOgUbukvPVwq6ohYZ
         SsWsyNI/jYdnFAyLEe8VkdSrfZ/56Iqra8aaI5PtvXRZoZvQT86km4Zv7ZJW+UQ3ygXc
         Lk5tpdLAYnLyA2Atjf9NLhSMSILmMOPSdOA/Rz411D98t5WDXMbFdaWE64KqJGB3adRm
         z317/h/51OM45+PRlgxu3e2SskT858Y97JtKYiI4byhuSq+PdNlAXTx0X6XyiCdYzI70
         /5eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :ironport-sdr:ironport-sdr;
        bh=ltMorN6XQghyuCBNkk5+klM9HNDCtSUqUe6pNAJH2AI=;
        b=zAUT8Ryq2t++dGYv9VpBhuSKpQ1dmwm3ka7Jy4NiZ+ww+RnRAosZz5bIeBiwXbqHs9
         NMRzjQvz2RgNHhbD3QhaD4Q59XqFcfyQsMGQ59bdjTSDkZ0QMw2tkzYD6pQExFRBN+2b
         5jTg66WVph9ddY5K3hEttFHJ/Ulqqo5VpgppHVdpB7wnHcq0PbS325/hBTQaWVqU7iJK
         OwYaLhnLQYYGOcgpjvIc1AKUPFhkv5SXapftKdAMGBRwP+w3uJzLsVDNJdTX8TVfHVP7
         uaa+ii2JvFtJsqLzXafnhDqfWbtzy6hzoeKtIQjXm5/Ke60fZqEn8ELzmCUNU3lmw7AG
         +Gag==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id q2si1273622ejx.574.2021.06.02.17.44.35;
        Wed, 02 Jun 2021 17:44:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229926AbhFCAnn (ORCPT <rfc822;luke.ovalle@gmail.com>
        + 99 others); Wed, 2 Jun 2021 20:43:43 -0400
Received: from mga04.intel.com ([192.55.52.120]:20968 "EHLO mga04.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229810AbhFCAnb (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jun 2021 20:43:31 -0400
IronPort-SDR: zdngS3Gfqiy37/4RJtO69BGXPSj7zCDA6De5uedM58wgC9wvk0QUKxWf4wMa6qtxAUse73qxRR
 manDaHPiuLZA==
X-IronPort-AV: E=McAfee;i="6200,9189,10003"; a="202075170"
X-IronPort-AV: E=Sophos;i="5.83,244,1616482800"; 
   d="scan'208";a="202075170"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2021 17:41:46 -0700
IronPort-SDR: VL+aXnuQatkvpNkp3FGdeTErR4yDwQpYb+ewFaiTnnSMh3nd3KYOvi3JsGBefEMdCmu0HYu8xI
 bn1hvlf9segA==
X-IronPort-AV: E=Sophos;i="5.83,244,1616482800"; 
   d="scan'208";a="549686682"
Received: from tassilo.jf.intel.com ([10.54.74.11])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Jun 2021 17:41:44 -0700
From:   Andi Kleen <ak@linux.intel.com>
To:     mst@redhat.com
Cc:     jasowang@redhat.com, virtualization@lists.linux-foundation.org,
        hch@lst.de, m.szyprowski@samsung.com, robin.murphy@arm.com,
        iommu@lists.linux-foundation.org, x86@kernel.org,
        sathyanarayanan.kuppuswamy@linux.intel.com, jpoimboe@redhat.com,
        linux-kernel@vger.kernel.org, Andi Kleen <ak@linux.intel.com>
Subject: [PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb
Date:   Wed,  2 Jun 2021 17:41:32 -0700
Message-Id: <20210603004133.4079390-8-ak@linux.intel.com>
X-Mailer: git-send-email 2.25.4
In-Reply-To: <20210603004133.4079390-1-ak@linux.intel.com>
References: <20210603004133.4079390-1-ak@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Now that we have a return value for unmapping DMA mappings that
are outside the forced swiotlb, use that to abort the IO operation.

This prevents the host from subverting a read to access some
data in the guest address space, which it might then get access somehow in
another IO operation. It can subvert reads to point to other
reads or other writes, but since it controls IO it can do
that anyways.

This is only done for the split code path, which is the only
one supported with confidential guests.

Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
 drivers/virtio/virtio_ring.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 1e9aa1e95e1b..244a5b62d85c 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -365,29 +365,31 @@ static int vring_mapping_error(const struct vring_virtqueue *vq,
  * Split ring specific functions - *_split().
  */
 
-static void vring_unmap_one_split(const struct vring_virtqueue *vq,
+static int vring_unmap_one_split(const struct vring_virtqueue *vq,
 				  struct vring_desc *desc)
 {
 	u16 flags;
+	int ret;
 
 	if (!vq->use_dma_api)
-		return;
+		return 0;
 
 	flags = virtio16_to_cpu(vq->vq.vdev, desc->flags);
 
 	if (flags & VRING_DESC_F_INDIRECT) {
-		dma_unmap_single(vring_dma_dev(vq),
+		ret = dma_unmap_single(vring_dma_dev(vq),
 				 virtio64_to_cpu(vq->vq.vdev, desc->addr),
 				 virtio32_to_cpu(vq->vq.vdev, desc->len),
 				 (flags & VRING_DESC_F_WRITE) ?
 				 DMA_FROM_DEVICE : DMA_TO_DEVICE);
 	} else {
-		dma_unmap_page(vring_dma_dev(vq),
+		ret = dma_unmap_page(vring_dma_dev(vq),
 			       virtio64_to_cpu(vq->vq.vdev, desc->addr),
 			       virtio32_to_cpu(vq->vq.vdev, desc->len),
 			       (flags & VRING_DESC_F_WRITE) ?
 			       DMA_FROM_DEVICE : DMA_TO_DEVICE);
 	}
+	return ret;
 }
 
 static struct vring_desc *alloc_indirect_split(struct virtqueue *_vq,
@@ -609,6 +611,10 @@ static inline int virtqueue_add_split(struct virtqueue *_vq,
 			break;
 		if (!inside_split_ring(vq, i))
 			break;
+		/*
+		 * Ignore unmapping errors since
+		 * we're aborting anyways.
+		 */
 		vring_unmap_one_split(vq, &desc[i]);
 		i = virtio16_to_cpu(_vq->vdev, desc[i].next);
 	}
@@ -671,7 +677,10 @@ static int detach_buf_split(struct vring_virtqueue *vq, unsigned int head,
 	i = head;
 
 	while (vq->split.vring.desc[i].flags & nextflag) {
-		vring_unmap_one_split(vq, &vq->split.vring.desc[i]);
+		int ret;
+		ret = vring_unmap_one_split(vq, &vq->split.vring.desc[i]);
+		if (ret)
+			return ret;
 		i = virtio16_to_cpu(vq->vq.vdev, vq->split.vring.desc[i].next);
 		if (!inside_split_ring(vq, i))
 			return -EIO;
@@ -878,6 +887,7 @@ static void *virtqueue_detach_unused_buf_split(struct virtqueue *_vq)
 			continue;
 		/* detach_buf_split clears data, so grab it now. */
 		buf = vq->split.desc_state[i].data;
+		/* Ignore unmap errors because there is nothing to abort */
 		detach_buf_split(vq, i, NULL);
 		/* Don't need to check for error because nothing is returned */
 		vq->split.avail_idx_shadow--;
-- 
2.25.4