From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sean Christopherson <sean.j.christopherson@intel.com>,
Alex Williamson <alex.williamson@redhat.com>,
Sasha Levin <sashal@kernel.org>,
kvm@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 14/35] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()
Date: Thu, 7 May 2020 10:28:08 -0400 [thread overview]
Message-ID: <20200507142830.26239-14-sashal@kernel.org> (raw)
In-Reply-To: <20200507142830.26239-1-sashal@kernel.org>
From: Sean Christopherson <sean.j.christopherson@intel.com>
[ Upstream commit 5cbf3264bc715e9eb384e2b68601f8c02bb9a61d ]
Use follow_pfn() to get the PFN of a PFNMAP VMA instead of assuming that
vma->vm_pgoff holds the base PFN of the VMA. This fixes a bug where
attempting to do VFIO_IOMMU_MAP_DMA on an arbitrary PFNMAP'd region of
memory calculates garbage for the PFN.
Hilariously, this only got detected because the first "PFN" calculated
by vaddr_get_pfn() is PFN 0 (vma->vm_pgoff==0), and iommu_iova_to_phys()
uses PA==0 as an error, which triggers a WARN in vfio_unmap_unpin()
because the translation "failed". PFN 0 is now unconditionally reserved
on x86 in order to mitigate L1TF, which causes is_invalid_reserved_pfn()
to return true and in turns results in vaddr_get_pfn() returning success
for PFN 0. Eventually the bogus calculation runs into PFNs that aren't
reserved and leads to failure in vfio_pin_map_dma(). The subsequent
call to vfio_remove_dma() attempts to unmap PFN 0 and WARNs.
WARNING: CPU: 8 PID: 5130 at drivers/vfio/vfio_iommu_type1.c:750 vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1]
Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio ...
CPU: 8 PID: 5130 Comm: sgx Tainted: G W 5.6.0-rc5-705d787c7fee-vfio+ #3
Hardware name: Intel Corporation Mehlow UP Server Platform/Moss Beach Server, BIOS CNLSE2R1.D00.X119.B49.1803010910 03/01/2018
RIP: 0010:vfio_unmap_unpin+0x2e1/0x310 [vfio_iommu_type1]
Code: <0f> 0b 49 81 c5 00 10 00 00 e9 c5 fe ff ff bb 00 10 00 00 e9 3d fe
RSP: 0018:ffffbeb5039ebda8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff9a55cbf8d480 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9a52b771c200
RBP: 0000000000000000 R08: 0000000000000040 R09: 00000000fffffff2
R10: 0000000000000001 R11: ffff9a51fa896000 R12: 0000000184010000
R13: 0000000184000000 R14: 0000000000010000 R15: ffff9a55cb66ea08
FS: 00007f15d3830b40(0000) GS:ffff9a55d5600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561cf39429e0 CR3: 000000084f75f005 CR4: 00000000003626e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vfio_remove_dma+0x17/0x70 [vfio_iommu_type1]
vfio_iommu_type1_ioctl+0x9e3/0xa7b [vfio_iommu_type1]
ksys_ioctl+0x92/0xb0
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x4c/0x180
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f15d04c75d7
Code: <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/vfio_iommu_type1.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index f471600985ff7..6cc47af1f06d3 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -380,8 +380,8 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
vma = find_vma_intersection(mm, vaddr, vaddr + 1);
if (vma && vma->vm_flags & VM_PFNMAP) {
- *pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
- if (is_invalid_reserved_pfn(*pfn))
+ if (!follow_pfn(vma, vaddr, pfn) &&
+ is_invalid_reserved_pfn(*pfn))
ret = 0;
}
--
2.20.1
next prev parent reply other threads:[~2020-05-07 14:35 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-07 14:27 [PATCH AUTOSEL 5.4 01/35] RDMA/mlx4: Initialize ib_spec on the stack Sasha Levin
2020-05-07 14:27 ` [PATCH AUTOSEL 5.4 02/35] RDMA/siw: Fix potential siw_mem refcnt leak in siw_fastreg_mr() Sasha Levin
2020-05-07 14:27 ` [PATCH AUTOSEL 5.4 03/35] nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl Sasha Levin
2020-05-07 14:27 ` [PATCH AUTOSEL 5.4 04/35] vfio: avoid possible overflow in vfio_iommu_type1_pin_pages Sasha Levin
2020-05-07 14:27 ` [PATCH AUTOSEL 5.4 05/35] riscv: fix vdso build with lld Sasha Levin
2020-05-07 14:27 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 06/35] scsi: qla2xxx: set UNLOADING before waiting for session deletion Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 07/35] scsi: qla2xxx: check UNLOADING before posting async work Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 08/35] scsi: target/iblock: fix WRITE SAME zeroing Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 09/35] RDMA/mlx5: Set GRH fields in query QP on RoCE Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 10/35] RDMA/core: Prevent mixed use of FDs between shared ufiles Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 11/35] dmaengine: pch_dma.c: Avoid data race between probe and irq handler Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 12/35] dmaengine: mmp_tdma: Do not ignore slave config validation errors Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 13/35] dmaengine: mmp_tdma: Reset channel error on release Sasha Levin
2020-05-07 14:28 ` Sasha Levin [this message]
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 15/35] ALSA: hda: Match both PCI ID and SSID for driver blacklist Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 16/35] selftests/ftrace: Check the first record for kprobe_args_type.tc Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 17/35] RDMA/core: Fix race between destroy and release FD object Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 18/35] cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 19/35] dma-buf: Fix SET_NAME ioctl uapi Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 20/35] nvme: prevent double free in nvme_alloc_ns() error handling Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 21/35] dmaengine: dmatest: Fix iteration non-stop logic Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 22/35] i2c: iproc: generate stop event for slave writes Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 23/35] ALSA: hda/hdmi: fix race in monitor detection during probe Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 24/35] dmaengine: dmatest: Fix process hang when reading 'wait' parameter Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 25/35] drm/amd/powerplay: avoid using pm_en before it is initialized revised Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 26/35] SUNRPC: defer slow parts of rpc_free_client() to a workqueue Sasha Levin
2020-05-07 21:18 ` NeilBrown
2020-05-16 23:10 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 27/35] drm/amd/display: check if REFCLK_CNTL register is present Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 28/35] drm/amd/display: Update downspread percent to match spreadsheet for DCN2.1 Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 29/35] Fix use after free in get_tree_bdev() Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 30/35] drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 31/35] ALSA: opti9xx: shut up gcc-10 range warning Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 32/35] i2c: aspeed: Avoid i2c interrupt status clear race condition Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 33/35] arm64: vdso: Add -fasynchronous-unwind-tables to cflags Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 34/35] iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system Sasha Levin
2020-05-07 14:28 ` Sasha Levin
2020-05-07 14:28 ` [PATCH AUTOSEL 5.4 35/35] iommu/qcom: Fix local_base status check Sasha Levin
2020-05-07 14:28 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200507142830.26239-14-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alex.williamson@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sean.j.christopherson@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.