| Message ID | 20230516093007.15234-1-yan.y.zhao@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp306691vqo;
Tue, 16 May 2023 03:03:51 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ7w5JaDRgw4HgevRJtcSPKvWWpMv8L5eqDRoNj7san/lOFSKT4f7JmLaeLsB5QPc9fL7olC
X-Received: by 2002:a05:6a20:3d8a:b0:105:5caa:b49c with SMTP id
s10-20020a056a203d8a00b001055caab49cmr12549459pzi.23.1684231431505;
Tue, 16 May 2023 03:03:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684231431; cv=none;
d=google.com; s=arc-20160816;
b=Bkj5XxVeejT4EFH3YkILJhI6hUBkPxoszE23YzBDXhQub/MvDAq4bY8bFNocPFn2Av
BVSMF8AYQi+Lf3PwnjE/1WN44Y3xKNHj+bjxAwDI2oDHz7SEaKeJwAfVcaJWdjd0VkHT
MaOUilfdcfgwmLOAhwPCmpFLtWZOVXnhE+qPD/vF6UcaAFkX/frdH3fleTry7fJfeVI/
iSrnnQP+pZeLBgk4DS+Zfo10QmTTUG+ebLhETnfSd/RrCwfHo8uV/PqGvWghMWkHPhSM
/ht+wglcKNYW5JUZtb8TiAHJ0tRQ/rLkSkJsS7z3xr7GRczSUcIYptkrvIsvzz2CJ3bv
dWXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:message-id:date:subject:cc:to:from
:dkim-signature;
bh=nboEtTC59hASovdL/OImO/fViGKTbMgdunqRv/LaYV8=;
b=PIE119nvQ/LtI4GO4ikw1dHsoDwj1u4Kuw+Pc6JbsrQo6a9Hk95Ac++n6k+J7XDP+Z
+gU7zE/Q5ZIX4hjbEZ7utOVYibqwDRjk3K5vPioynSSDymibhdtYMszfALpXTErdr/k5
+FKRdR3qj4yAtg3mLLiLNcJvi8JX9vc/o2y9hFe4ylG1PBdbQqxzXNVKzZN/cP98oFgd
VxHJYvdJ2wYRQe0HUBvRVtdY9GsfjQytLigcrqN8bC1mwPr8Dj0cTqZSm9X/PqgY15SH
l8Am+3c/XZFbQ0lHcHnXH2ZQ5Jg0bLwJI5CDyWhdm2G0hl7pfsB+oRcz4xwsiMwcwZk3
v2Zg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=POyKr2J5;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
p27-20020a63951b000000b00530b6949dcdsi7440410pgd.218.2023.05.16.03.03.39;
Tue, 16 May 2023 03:03:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=POyKr2J5;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232181AbjEPJzS (ORCPT <rfc822;peekingduck44@gmail.com>
+ 99 others); Tue, 16 May 2023 05:55:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59500 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231670AbjEPJzQ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 16 May 2023 05:55:16 -0400
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EF1311C;
Tue, 16 May 2023 02:55:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1684230915; x=1715766915;
h=from:to:cc:subject:date:message-id;
bh=yvx6OAowd/7NW7S209apHRJ64Wqyi4a60sJdPM3jAuA=;
b=POyKr2J56/MGd34nKfkJt0++dZ5Tt+vB4SYabp3yYU2MVFzJmhisKe6s
CYzThhG+0/WI8E7RN/C9v6Y4WO3WyhtVRiDUn8NTsOMREDp7QBHBIWpLH
yedfT3V1XaxP7FZubCDgwAZNTD1YetS0Gdn0Ra3KM77owb3RgcswBPyu9
YlBpAaypuZ0Hr+42LeAnpT0WqF3u/EghdpI3a7JVvEWg7HEI6kpJ080q4
w7DohvxPjlrRh6ADaPMnoTGykKPkBgQuPPGvbq/qz2gIvIY6uUDirdAVx
Ryrvavp4RCYe+HjuMM2iDxG8OjBGGNFaQF2Y2TnbXWrsSSITIDlJI5gmM
w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10711"; a="353715105"
X-IronPort-AV: E=Sophos;i="5.99,278,1677571200";
d="scan'208";a="353715105"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
16 May 2023 02:55:13 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10711"; a="734210813"
X-IronPort-AV: E=Sophos;i="5.99,278,1677571200";
d="scan'208";a="734210813"
Received: from yzhao56-desk.sh.intel.com ([10.239.159.62])
by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
16 May 2023 02:55:11 -0700
From: Yan Zhao <yan.y.zhao@intel.com>
To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: alex.williamson@redhat.com, kevin.tian@intel.com, jgg@nvidia.com,
Yan Zhao <yan.y.zhao@intel.com>
Subject: [PATCH] vfio/type1: check pfn valid before converting to struct page
Date: Tue, 16 May 2023 17:30:07 +0800
Message-Id: <20230516093007.15234-1-yan.y.zhao@intel.com>
X-Mailer: git-send-email 2.17.1
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766044657235064349?=
X-GMAIL-MSGID: =?utf-8?q?1766044657235064349?=
|
| Series |
vfio/type1: check pfn valid before converting to struct page
|
|
Commit Message
Yan Zhao
May 16, 2023, 9:30 a.m. UTC
vfio_pin_page_external() can return a phys_pfn for vma with VM_PFNMAP,
e.g. for MMIO PFNs.
It's necessary to check if it's a valid pfn before calling pfn_to_page().
Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()")
Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
---
drivers/vfio/vfio_iommu_type1.c | 5 +++++
1 file changed, 5 insertions(+)
base-commit: b3c98052d46948a8d65d2778c7f306ff38366aac
Comments
On Tue, May 16, 2023 at 05:30:07PM +0800, Yan Zhao wrote: > vfio_pin_page_external() can return a phys_pfn for vma with VM_PFNMAP, > e.g. for MMIO PFNs. > > It's necessary to check if it's a valid pfn before calling pfn_to_page(). > > Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") > Signed-off-by: Yan Zhao <yan.y.zhao@intel.com> > --- > drivers/vfio/vfio_iommu_type1.c | 5 +++++ > 1 file changed, 5 insertions(+) Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Jason
On Tue, May 16, 2023, Yan Zhao wrote: > vfio_pin_page_external() can return a phys_pfn for vma with VM_PFNMAP, > e.g. for MMIO PFNs. > > It's necessary to check if it's a valid pfn before calling pfn_to_page(). > > Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") Might be worth adding a blurb to call out that this is _not_ ABI breakage. Prior to the buggy commit, KVMGT manually checked that the pfn pinned by vfio_pin_pages() was pfn_valid(), and s390's driver(s) either blindly expected struct page memory, e.g. did ret = page_array_pin(&pa, vdev); if (ret < 0) { page_array_unpin_free(&pa, vdev); return ret; } l = n; for (i = 0; i < pa.pa_nr; i++) { struct page *page = pfn_to_page(pa.pa_pfn[i]); void *from = kmap_local_page(page); or in the case of its crypto driver, apparently was all kinds of confused about virtual vs. physical, i.e. likely couldn't have worked with anything but "normal" memory anyways. AFAICT, those are the only in-tree users of vfio_pin_pages().
On Wed, May 17, 2023 at 08:19:04AM -0700, Sean Christopherson wrote: > On Tue, May 16, 2023, Yan Zhao wrote: > > vfio_pin_page_external() can return a phys_pfn for vma with VM_PFNMAP, > > e.g. for MMIO PFNs. > > > > It's necessary to check if it's a valid pfn before calling pfn_to_page(). > > > > Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") > > Might be worth adding a blurb to call out that this is _not_ ABI breakage. Prior Do you mean "_not_ ABI breakage" with 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") or with this fix commit? > to the buggy commit, KVMGT manually checked that the pfn pinned by vfio_pin_pages() > was pfn_valid(), and s390's driver(s) either blindly expected struct page memory, > e.g. did > > ret = page_array_pin(&pa, vdev); > if (ret < 0) { > page_array_unpin_free(&pa, vdev); > return ret; > } > > l = n; > for (i = 0; i < pa.pa_nr; i++) { > struct page *page = pfn_to_page(pa.pa_pfn[i]); > void *from = kmap_local_page(page); > > or in the case of its crypto driver, apparently was all kinds of confused about > virtual vs. physical, i.e. likely couldn't have worked with anything but "normal" > memory anyways. > > AFAICT, those are the only in-tree users of vfio_pin_pages(). Though there are no in-tree users currently expect vfio_pin_pages() to cover MMIO ranges, with the commit 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()"), the IOVA ranges supported by vfio_pin_pages() is still reduced. Previously, it's the callers(vendor drivers)' option to decide if they want to support MMIO GFNs or not, while now only if there are other interfaces provided by VFIO, the vendor drivers could not allow pinning of MMIO GFNs, i.e. no guest P2P.
On Thu, May 18, 2023, Yan Zhao wrote: > On Wed, May 17, 2023 at 08:19:04AM -0700, Sean Christopherson wrote: > > On Tue, May 16, 2023, Yan Zhao wrote: > > > vfio_pin_page_external() can return a phys_pfn for vma with VM_PFNMAP, > > > e.g. for MMIO PFNs. > > > > > > It's necessary to check if it's a valid pfn before calling pfn_to_page(). > > > > > > Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") > > > > Might be worth adding a blurb to call out that this is _not_ ABI breakage. Prior > Do you mean "_not_ ABI breakage" with > 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") > or with this fix commit? Mostly the former. I brought it up because _if_ there was breakage in that commit, then this fix would be "wrong" in the sense that it wouldn't undo any breakage, and would likely make it harder to restore the previous behavior.
On Thu, May 18, 2023 at 11:07:09AM -0700, Sean Christopherson wrote: > On Thu, May 18, 2023, Yan Zhao wrote: > > On Wed, May 17, 2023 at 08:19:04AM -0700, Sean Christopherson wrote: > > > On Tue, May 16, 2023, Yan Zhao wrote: > > > > vfio_pin_page_external() can return a phys_pfn for vma with VM_PFNMAP, > > > > e.g. for MMIO PFNs. > > > > > > > > It's necessary to check if it's a valid pfn before calling pfn_to_page(). > > > > > > > > Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") > > > > > > Might be worth adding a blurb to call out that this is _not_ ABI breakage. Prior > > Do you mean "_not_ ABI breakage" with > > 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") > > or with this fix commit? > > Mostly the former. I brought it up because _if_ there was breakage in that commit, > then this fix would be "wrong" in the sense that it wouldn't undo any breakage, and > would likely make it harder to restore the previous behavior. Ok. Let me post v2 to describe the problem and background clearly. Thanks!
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c index 493c31de0edb..0620dbe5cca0 100644 --- a/drivers/vfio/vfio_iommu_type1.c +++ b/drivers/vfio/vfio_iommu_type1.c @@ -860,6 +860,11 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data, if (ret) goto pin_unwind; + if (!pfn_valid(phys_pfn)) { + ret = -EINVAL; + goto pin_unwind; + } + ret = vfio_add_to_pfn_list(dma, iova, phys_pfn); if (ret) { if (put_pfn(phys_pfn, dma->prot) && do_accounting)