From patchwork Fri May 19 06:58:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yan Zhao X-Patchwork-Id: 96238 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1062049vqo; Fri, 19 May 2023 01:02:18 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6RKVSKASFTMDEzyBFFc8YhVUobc9rQzoZ/8vS6XgVaRVbLNyYxv6COHeguXbiYMyYDIJaK X-Received: by 2002:a05:6a00:847:b0:646:7234:cbfc with SMTP id q7-20020a056a00084700b006467234cbfcmr2396985pfk.27.1684483338555; Fri, 19 May 2023 01:02:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684483338; cv=none; d=google.com; s=arc-20160816; b=oJkC+sz/3ko7RRxv+O/fxmDNlZ6rzUnSOsf4Oj8uk7h3LDcu4iVdqRaQAVddZeNpwL CzmyDr1m/5xhRR4wgTZzEkzqx/9L/DXRd2Si4J+H2fpSJ7K7sHAc3r6REOJcMEDGaUGh hFZWWXWX0C1tIepN4VVpHl20Em2tIucl33KYzNDMmSEOZmdhcbmAng5EBadYs/I0b+sK cIdSwXAbpEAP6+34eOS97H8YdOhywAUxiLqGMHf1XCEYYDGcDRyiPaK8v7QyIJ/FlXRY DeBhJV62pdMzM8kvCO4VcGS20kxWTmNjwPJwmi5DMc9no5g4O0oPeZCPe/3bA8RKZqrM IHSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=BpUW9Zmks8X6HHR4Rnm+58CSW4VUmTPjoc+I617lUy0=; b=q5MlDZA5TjqkGHu9jaFb/ImWF4Ldg4qZwKI6zfy2W7XoQHpqubuHdJW4Ax511ehBGI IsjsSswi3iD4ib1sviLp33foC9vWNVJ6lOkxUF571uWMMATiD4FEyjZvszPy1Fo7vHJ8 X+M3Ywu7tqeRMq3/wLZQWiaCrURezbEsIUAWtgDNX99Fr/tHjvaAdlG+moZ8PeZQVZHq FlM0G4uvjgP2fEX3V3mo4JLqCs59gG33oFEKYY69WqITd3nZKBhfOB/tBp98eolanSpq H9fDNQXGzPmCoMimzGpRrxkMEUv167o7eTrlqL0aOyMcpbBgLipfnMmFytGcl6HWSa2Q wWXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=BDl4W2RP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 66-20020a621845000000b006436ead4abesi3129880pfy.227.2023.05.19.01.02.05; Fri, 19 May 2023 01:02:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=BDl4W2RP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230073AbjESHX5 (ORCPT + 99 others); Fri, 19 May 2023 03:23:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55646 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229436AbjESHXz (ORCPT ); Fri, 19 May 2023 03:23:55 -0400 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85FED109; Fri, 19 May 2023 00:23:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1684481034; x=1716017034; h=from:to:cc:subject:date:message-id; bh=+qJJtos13heGRt9cQEvKtBbo1R9ZeJIEF8B5TXfKWnw=; b=BDl4W2RPIEn+lY2IZKH3o2IPgXk/DFdg0yWBe8dR98C0D/iMve8AAa9u yEQjQ5dk8BhCBvB7vnmzTbpD8dsAQLITOApq8CJUrd0XjholN5J1zNIcM 5BmOcan3egKrdhG49zg8Vmea04CG/ypFYvMgIaYEikxuofsC6Njc6iLYS lQ2wirBWhfyRA2cNyoj9OmLqwxqnYEZqQZIrWyBmwjCPsjfQji/BJckO0 T/0KwH0c4m+86JDIfQa/M7NLn6Awd1c/xcAKEya4bK0OBkg0mDcPYKOqK MsTeR0Fh8YsMfuyx9/ZcqeiVjW2gDpfgAkWDeEd4TSD/uygDWqVjTXq0r A==; X-IronPort-AV: E=McAfee;i="6600,9927,10714"; a="349819458" X-IronPort-AV: E=Sophos;i="6.00,176,1681196400"; d="scan'208";a="349819458" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 May 2023 00:23:54 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10714"; a="772201167" X-IronPort-AV: E=Sophos;i="6.00,176,1681196400"; d="scan'208";a="772201167" Received: from yzhao56-desk.sh.intel.com ([10.239.159.62]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 May 2023 00:23:52 -0700 From: Yan Zhao To: kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: alex.williamson@redhat.com, kevin.tian@intel.com, jgg@nvidia.com, Yan Zhao , Sean Christopherson Subject: [PATCH v2] vfio/type1: check pfn valid before converting to struct page Date: Fri, 19 May 2023 14:58:43 +0800 Message-Id: <20230519065843.10653-1-yan.y.zhao@intel.com> X-Mailer: git-send-email 2.17.1 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766044657235064349?= X-GMAIL-MSGID: =?utf-8?q?1766308801138151056?= Check physical PFN is valid before converting the PFN to a struct page pointer to be returned to caller of vfio_pin_pages(). vfio_pin_pages() pins user pages with contiguous IOVA. If the IOVA of a user page to be pinned belongs to vma of vm_flags VM_PFNMAP, pin_user_pages_remote() will return -EFAULT without returning struct page address for this PFN. This is because usually this kind of PFN (e.g. MMIO PFN) has no valid struct page address associated. Upon this error, vaddr_get_pfns() will obtain the physical PFN directly. While previously vfio_pin_pages() returns to caller PFN arrays directly, after commit 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()"), PFNs will be converted to "struct page *" unconditionally and therefore the returned "struct page *" array may contain invalid struct page addresses. Given current in-tree users of vfio_pin_pages() only expect "struct page * returned, check PFN validity and return -EINVAL to let the caller be aware of IOVAs to be pinned containing PFN not able to be returned in "struct page *" array. So that, the caller will not consume the returned pointer (e.g. test PageReserved()) and avoid error like "supervisor read access in kernel mode". Fixes: 34a255e67615 ("vfio: Replace phys_pfn with pages for vfio_pin_pages()") Cc: Sean Christopherson Reviewed-by: Jason Gunthorpe Signed-off-by: Yan Zhao Reviewed-by: Sean Christopherson --- v2: update commit message to explain background/problem clearly. (Sean) --- drivers/vfio/vfio_iommu_type1.c | 5 +++++ 1 file changed, 5 insertions(+) base-commit: b3c98052d46948a8d65d2778c7f306ff38366aac diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c index 493c31de0edb..0620dbe5cca0 100644 --- a/drivers/vfio/vfio_iommu_type1.c +++ b/drivers/vfio/vfio_iommu_type1.c @@ -860,6 +860,11 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data, if (ret) goto pin_unwind; + if (!pfn_valid(phys_pfn)) { + ret = -EINVAL; + goto pin_unwind; + } + ret = vfio_add_to_pfn_list(dma, iova, phys_pfn); if (ret) { if (put_pfn(phys_pfn, dma->prot) && do_accounting)