From patchwork Mon Dec 17 21:53:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jim Mattson X-Patchwork-Id: 10734335 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B3D1E13B5 for ; Mon, 17 Dec 2018 21:53:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9DB3F2A455 for ; Mon, 17 Dec 2018 21:53:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9ABF92A451; Mon, 17 Dec 2018 21:53:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C60F2A45C for ; Mon, 17 Dec 2018 21:53:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727283AbeLQVxp (ORCPT ); Mon, 17 Dec 2018 16:53:45 -0500 Received: from mail-pl1-f201.google.com ([209.85.214.201]:37293 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726574AbeLQVxo (ORCPT ); Mon, 17 Dec 2018 16:53:44 -0500 Received: by mail-pl1-f201.google.com with SMTP id v11so10202628ply.4 for ; Mon, 17 Dec 2018 13:53:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=sN7wDI/+A2Ba26xw2KoZzaxBeVRqTqgm/EXSUavwZqY=; b=UBtSi/pILfmdrToS99SBhA2p7cxj2R/k5Lyp2CKZlSr/arn66JrBm6s/tdAbsRO6fL kC6/j+WGPAWU/rDKnndL5qHYsnaa9YZH9SP5MFNVePWowGlMtOYUkl7KQK+z5tmbBMre zKUpQILyelPJeiN6nWGqbmYPgR9MP0U2Crns+Vl4rEH0IHeGVWGvzs+gyxs3lMXhyE/A GKg+GHtyF4M8eIgOwPlX+r91xTmyOMbhHtG9KyNvV5j7ts3xTnPAHkTumcSQy8DKBwjD KMoChOj9pbxI+FBE3wYvv6UjhyXiElG014GUBVmmYGTb+8SaAcHcAMVHXqOIFzFbXxj9 CdMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=sN7wDI/+A2Ba26xw2KoZzaxBeVRqTqgm/EXSUavwZqY=; b=jWNlN4SoGriOrsxOo+UvNdO7yp8KxZv5zLeqDVBfF6+XiUP4wvpmChqLp8xkoSAN7n 6rBVEzh8KpkL1SBACNQQnFkiWQrJR6zH3tOke+7NgM9i9AB6kbuaVEQabTsO1hVvKtyk VS6YzNAqbceuw+V9Sz1of3mRNCP6X8xdOtQ/oVIJfL+sHyD4GnL1yojy7OvkJZZ/NcW4 xPuaO1CkQ9PNXUQJEtbxMJJaWLq7Y+kKOOvQCdlUQjj4Oj/r4KYQeLn6NJsHBJ0tdExU vRjnmm5M+ed0lyVXu79c97q2qvDqnGAhZgtQxFs4WI0YWD+6BLTmzE6P+fkMBqQZJ6ST wbAg== X-Gm-Message-State: AA+aEWaFzLjwiZ6Ko/aQ8Z2zbR1zC7xz8bfujr0nUL77EyMyE/11Z7TG N5R0Y2PiB6SAK7xZGX4gO1AnJRGuhxIsBHcGUE1ynRn/wcatNhlsLjrjdG3UuMmkhdyepXr5AaI R0ay99tCEgEvarMTlo6OSutV97HpQsb9fVe+im5Mth60/g80FNdizwQ9R1doPZwg= X-Google-Smtp-Source: AFSGD/X36xYR1jf/Y4KmY2yCVO75QCR1kdIj9teg1Bk09VplQapkoNFTlU7JK8P2D4B1Z6bXHqfV5CT2+qCVLQ== X-Received: by 2002:a62:6441:: with SMTP id y62mr8026773pfb.13.1545083624216; Mon, 17 Dec 2018 13:53:44 -0800 (PST) Date: Mon, 17 Dec 2018 13:53:33 -0800 Message-Id: <20181217215333.161892-1-jmattson@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.20.0.405.gbc1bbc6f85-goog Subject: [PATCH] kvm: Disallow wraparound in kvm_gfn_to_hva_cache_init From: Jim Mattson To: kvm@vger.kernel.org Cc: Jim Mattson , Cfir Cohen , Marc Orr , Andrew Honig Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Previously, in the case where (gpa + len) wrapped around, the entire region was not validated, as the comment claimed. It doesn't actually seem that wraparound should be allowed here at all. Furthermore, since some callers don't check the return code from this function, it seems prudent to clear ghc->memslot in the event of an error. Fixes: 8f964525a121f ("KVM: Allow cross page reads and writes from cached translations.") Reported-by: Cfir Cohen Signed-off-by: Jim Mattson Reviewed-by: Cfir Cohen Reviewed-by: Marc Orr Cc: Andrew Honig --- virt/kvm/kvm_main.c | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 0041947b7390d..3be46841db06b 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -2005,32 +2005,33 @@ static int __kvm_gfn_to_hva_cache_init(struct kvm_memslots *slots, gfn_t end_gfn = (gpa + len - 1) >> PAGE_SHIFT; gfn_t nr_pages_needed = end_gfn - start_gfn + 1; gfn_t nr_pages_avail; + int r = start_gfn <= end_gfn ? 0 : -EINVAL; ghc->gpa = gpa; ghc->generation = slots->generation; ghc->len = len; - ghc->memslot = __gfn_to_memslot(slots, start_gfn); - ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, NULL); - if (!kvm_is_error_hva(ghc->hva) && nr_pages_needed <= 1) { + ghc->hva = KVM_HVA_ERR_BAD; + + /* + * If the requested region crosses two memslots, we still + * verify that the entire region is valid here. + */ + while (!r && start_gfn <= end_gfn) { + ghc->memslot = __gfn_to_memslot(slots, start_gfn); + ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, + &nr_pages_avail); + if (kvm_is_error_hva(ghc->hva)) + r = -EFAULT; + start_gfn += nr_pages_avail; + } + + /* Use the slow path for cross page reads and writes. */ + if (!r && nr_pages_needed == 1) ghc->hva += offset; - } else { - /* - * If the requested region crosses two memslots, we still - * verify that the entire region is valid here. - */ - while (start_gfn <= end_gfn) { - nr_pages_avail = 0; - ghc->memslot = __gfn_to_memslot(slots, start_gfn); - ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, - &nr_pages_avail); - if (kvm_is_error_hva(ghc->hva)) - return -EFAULT; - start_gfn += nr_pages_avail; - } - /* Use the slow path for cross page reads and writes. */ + else ghc->memslot = NULL; - } - return 0; + + return r; } int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,