Commit d65026c6 authored Mar 29, 2018 by Jason Wang Committed by David S. Miller Mar 29, 2018

vhost: validate log when IOTLB is enabled



Vq log_base is the userspace address of bitmap which has nothing to do
with IOTLB. So it needs to be validated unconditionally otherwise we
may try use 0 as log_base which may lead to pin pages that will lead
unexpected result (e.g trigger BUG_ON() in set_bit_to_user()).

Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
Reported-by:  <syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 58f101bf

drivers/vhost/vhost.c

+6 −8

Original line number	Diff line number	Diff line
		@@ -1244,14 +1244,12 @@ static int vq_log_access_ok(struct vhost_virtqueue *vq,
		/* Caller should have vq mutex and device mutex */
		int vhost_vq_access_ok(struct vhost_virtqueue *vq)
		{
		if (vq->iotlb) {
		/* When device IOTLB was used, the access validation
		* will be validated during prefetching.
		*/
		return 1;
		}
		return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used) &&
		vq_log_access_ok(vq, vq->log_base);
		int ret = vq_log_access_ok(vq, vq->log_base);

		if (ret \|\| vq->iotlb)
		return ret;

		return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used);
		}
		EXPORT_SYMBOL_GPL(vhost_vq_access_ok);