KVM: coalesced_mmio: add bounds checking (232a6462) · Commits · e / devices / android_kernel_oneplus_sm7250

virt/kvm/coalesced_mmio.c

+10 −7

Original line number	Diff line number	Diff line
		@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
		return 1;
		}

		static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
		static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
		{
		struct kvm_coalesced_mmio_ring *ring;
		unsigned avail;
		@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
		* there is always one unused entry in the buffer
		*/
		ring = dev->kvm->coalesced_mmio_ring;
		avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
		avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
		if (avail == 0) {
		/* full */
		return 0;
		@@ -67,24 +67,27 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
		{
		struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
		struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
		__u32 insert;

		if (!coalesced_mmio_in_range(dev, addr, len))
		return -EOPNOTSUPP;

		spin_lock(&dev->kvm->ring_lock);

		if (!coalesced_mmio_has_room(dev)) {
		insert = READ_ONCE(ring->last);
		if (!coalesced_mmio_has_room(dev, insert) \|\|
		insert >= KVM_COALESCED_MMIO_MAX) {
		spin_unlock(&dev->kvm->ring_lock);
		return -EOPNOTSUPP;
		}

		/* copy data in first free entry of the ring */

		ring->coalesced_mmio[ring->last].phys_addr = addr;
		ring->coalesced_mmio[ring->last].len = len;
		memcpy(ring->coalesced_mmio[ring->last].data, val, len);
		ring->coalesced_mmio[insert].phys_addr = addr;
		ring->coalesced_mmio[insert].len = len;
		memcpy(ring->coalesced_mmio[insert].data, val, len);
		smp_wmb();
		ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
		ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
		spin_unlock(&dev->kvm->ring_lock);
		return 0;
		}