mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-15 16:24:13 +08:00
e2ae38cf3d
In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.
Call Trace:
<TASK>
iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Reported by syzbot at:
https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
To fix this, do two things:
1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
a range with size 0.
2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
by splitting it into two entries.
Fixes: 0bbe30668d ("vhost: factor out IOTLB")
Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com
Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20220305095525.5145-1-mail@anirudhrb.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
201 lines
4.9 KiB
C
201 lines
4.9 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/* Copyright (C) 2020 Red Hat, Inc.
|
|
* Author: Jason Wang <jasowang@redhat.com>
|
|
*
|
|
* IOTLB implementation for vhost.
|
|
*/
|
|
#include <linux/slab.h>
|
|
#include <linux/vhost_iotlb.h>
|
|
#include <linux/module.h>
|
|
|
|
#define MOD_VERSION "0.1"
|
|
#define MOD_DESC "VHOST IOTLB"
|
|
#define MOD_AUTHOR "Jason Wang <jasowang@redhat.com>"
|
|
#define MOD_LICENSE "GPL v2"
|
|
|
|
#define START(map) ((map)->start)
|
|
#define LAST(map) ((map)->last)
|
|
|
|
INTERVAL_TREE_DEFINE(struct vhost_iotlb_map,
|
|
rb, __u64, __subtree_last,
|
|
START, LAST, static inline, vhost_iotlb_itree);
|
|
|
|
/**
|
|
* vhost_iotlb_map_free - remove a map node and free it
|
|
* @iotlb: the IOTLB
|
|
* @map: the map that want to be remove and freed
|
|
*/
|
|
void vhost_iotlb_map_free(struct vhost_iotlb *iotlb,
|
|
struct vhost_iotlb_map *map)
|
|
{
|
|
vhost_iotlb_itree_remove(map, &iotlb->root);
|
|
list_del(&map->link);
|
|
kfree(map);
|
|
iotlb->nmaps--;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_map_free);
|
|
|
|
/**
|
|
* vhost_iotlb_add_range_ctx - add a new range to vhost IOTLB
|
|
* @iotlb: the IOTLB
|
|
* @start: start of the IOVA range
|
|
* @last: last of IOVA range
|
|
* @addr: the address that is mapped to @start
|
|
* @perm: access permission of this range
|
|
* @opaque: the opaque pointer for the new mapping
|
|
*
|
|
* Returns an error last is smaller than start or memory allocation
|
|
* fails
|
|
*/
|
|
int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb,
|
|
u64 start, u64 last,
|
|
u64 addr, unsigned int perm,
|
|
void *opaque)
|
|
{
|
|
struct vhost_iotlb_map *map;
|
|
|
|
if (last < start)
|
|
return -EFAULT;
|
|
|
|
/* If the range being mapped is [0, ULONG_MAX], split it into two entries
|
|
* otherwise its size would overflow u64.
|
|
*/
|
|
if (start == 0 && last == ULONG_MAX) {
|
|
u64 mid = last / 2;
|
|
|
|
vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, perm, opaque);
|
|
addr += mid + 1;
|
|
start = mid + 1;
|
|
}
|
|
|
|
if (iotlb->limit &&
|
|
iotlb->nmaps == iotlb->limit &&
|
|
iotlb->flags & VHOST_IOTLB_FLAG_RETIRE) {
|
|
map = list_first_entry(&iotlb->list, typeof(*map), link);
|
|
vhost_iotlb_map_free(iotlb, map);
|
|
}
|
|
|
|
map = kmalloc(sizeof(*map), GFP_ATOMIC);
|
|
if (!map)
|
|
return -ENOMEM;
|
|
|
|
map->start = start;
|
|
map->size = last - start + 1;
|
|
map->last = last;
|
|
map->addr = addr;
|
|
map->perm = perm;
|
|
map->opaque = opaque;
|
|
|
|
iotlb->nmaps++;
|
|
vhost_iotlb_itree_insert(map, &iotlb->root);
|
|
|
|
INIT_LIST_HEAD(&map->link);
|
|
list_add_tail(&map->link, &iotlb->list);
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_add_range_ctx);
|
|
|
|
int vhost_iotlb_add_range(struct vhost_iotlb *iotlb,
|
|
u64 start, u64 last,
|
|
u64 addr, unsigned int perm)
|
|
{
|
|
return vhost_iotlb_add_range_ctx(iotlb, start, last,
|
|
addr, perm, NULL);
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_add_range);
|
|
|
|
/**
|
|
* vhost_iotlb_del_range - delete overlapped ranges from vhost IOTLB
|
|
* @iotlb: the IOTLB
|
|
* @start: start of the IOVA range
|
|
* @last: last of IOVA range
|
|
*/
|
|
void vhost_iotlb_del_range(struct vhost_iotlb *iotlb, u64 start, u64 last)
|
|
{
|
|
struct vhost_iotlb_map *map;
|
|
|
|
while ((map = vhost_iotlb_itree_iter_first(&iotlb->root,
|
|
start, last)))
|
|
vhost_iotlb_map_free(iotlb, map);
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_del_range);
|
|
|
|
/**
|
|
* vhost_iotlb_alloc - add a new vhost IOTLB
|
|
* @limit: maximum number of IOTLB entries
|
|
* @flags: VHOST_IOTLB_FLAG_XXX
|
|
*
|
|
* Returns an error is memory allocation fails
|
|
*/
|
|
struct vhost_iotlb *vhost_iotlb_alloc(unsigned int limit, unsigned int flags)
|
|
{
|
|
struct vhost_iotlb *iotlb = kzalloc(sizeof(*iotlb), GFP_KERNEL);
|
|
|
|
if (!iotlb)
|
|
return NULL;
|
|
|
|
iotlb->root = RB_ROOT_CACHED;
|
|
iotlb->limit = limit;
|
|
iotlb->nmaps = 0;
|
|
iotlb->flags = flags;
|
|
INIT_LIST_HEAD(&iotlb->list);
|
|
|
|
return iotlb;
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_alloc);
|
|
|
|
/**
|
|
* vhost_iotlb_reset - reset vhost IOTLB (free all IOTLB entries)
|
|
* @iotlb: the IOTLB to be reset
|
|
*/
|
|
void vhost_iotlb_reset(struct vhost_iotlb *iotlb)
|
|
{
|
|
vhost_iotlb_del_range(iotlb, 0ULL, 0ULL - 1);
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_reset);
|
|
|
|
/**
|
|
* vhost_iotlb_free - reset and free vhost IOTLB
|
|
* @iotlb: the IOTLB to be freed
|
|
*/
|
|
void vhost_iotlb_free(struct vhost_iotlb *iotlb)
|
|
{
|
|
if (iotlb) {
|
|
vhost_iotlb_reset(iotlb);
|
|
kfree(iotlb);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_free);
|
|
|
|
/**
|
|
* vhost_iotlb_itree_first - return the first overlapped range
|
|
* @iotlb: the IOTLB
|
|
* @start: start of IOVA range
|
|
* @last: last byte in IOVA range
|
|
*/
|
|
struct vhost_iotlb_map *
|
|
vhost_iotlb_itree_first(struct vhost_iotlb *iotlb, u64 start, u64 last)
|
|
{
|
|
return vhost_iotlb_itree_iter_first(&iotlb->root, start, last);
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_itree_first);
|
|
|
|
/**
|
|
* vhost_iotlb_itree_next - return the next overlapped range
|
|
* @map: the starting map node
|
|
* @start: start of IOVA range
|
|
* @last: last byte IOVA range
|
|
*/
|
|
struct vhost_iotlb_map *
|
|
vhost_iotlb_itree_next(struct vhost_iotlb_map *map, u64 start, u64 last)
|
|
{
|
|
return vhost_iotlb_itree_iter_next(map, start, last);
|
|
}
|
|
EXPORT_SYMBOL_GPL(vhost_iotlb_itree_next);
|
|
|
|
MODULE_VERSION(MOD_VERSION);
|
|
MODULE_DESCRIPTION(MOD_DESC);
|
|
MODULE_AUTHOR(MOD_AUTHOR);
|
|
MODULE_LICENSE(MOD_LICENSE);
|