search for: log_base

Vq log_base is the userspace address of bitmap which has nothing to do with IOTLB. So it needs to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new...

Vq log_base is the userspace address of bitmap which has nothing to do with IOTLB. So it needs to be validated unconditionally otherwise we may try use 0 as log_base which may lead to pin pages that will lead unexpected result (e.g trigger BUG_ON() in set_bit_to_user()). Fixes: 6b1e6cc7855b0 ("vhost: new...

...amp;& access_ok(VERIFY_READ, avail, sizeof *avail + num * sizeof *avail->ring) && @@ -447,6 +455,9 @@ int vhost_log_access_ok(struct vhost_dev *dev) /* Caller should have vq mutex and device mutex */ static int vq_log_access_ok(struct vhost_virtqueue *vq, void __user *log_base) { + if (vq->num > UINT_MAX / sizeof *vq->used->ring - sizeof *vq->used) + return 0; + return vq_memory_access_ok(log_base, vq->dev->memory, vhost_has_feature(vq->dev, VHOST_F_LOG_ALL)) && (!vq->log_used || log_access_ok(log_base, vq->log_addr, @...

...amp;& access_ok(VERIFY_READ, avail, sizeof *avail + num * sizeof *avail->ring) && @@ -447,6 +455,9 @@ int vhost_log_access_ok(struct vhost_dev *dev) /* Caller should have vq mutex and device mutex */ static int vq_log_access_ok(struct vhost_virtqueue *vq, void __user *log_base) { + if (vq->num > UINT_MAX / sizeof *vq->used->ring - sizeof *vq->used) + return 0; + return vq_memory_access_ok(log_base, vq->dev->memory, vhost_has_feature(vq->dev, VHOST_F_LOG_ALL)) && (!vq->log_used || log_access_ok(log_base, vq->log_addr, @...

...eterz at infradead.org> Cc: Darren Hart <dvhart at infradead.org> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from RFC V2: - drop GUP and provide get_user()/put_user() fallbacks - round down log_base Changes from RFC V1: - switch to use arch_futex_atomic_op_inuser() --- drivers/vhost/vhost.c | 54 ++++++++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 351af88..7fa05ba 100644 --- a/d...

...eterz at infradead.org> Cc: Darren Hart <dvhart at infradead.org> Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server") Signed-off-by: Jason Wang <jasowang at redhat.com> --- Changes from RFC V2: - drop GUP and provide get_user()/put_user() fallbacks - round down log_base Changes from RFC V1: - switch to use arch_futex_atomic_op_inuser() --- drivers/vhost/vhost.c | 54 ++++++++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 351af88..7fa05ba 100644 --- a/d...

v2: * Rewrote the conditional to make the vq access check clearer [Linus] * Added Patch 2 to make the return type consistent and harder to misuse [Linus] The first patch fixes the vhost virtqueue access check which was recently broken. The second patch replaces the int return type with bool to prevent future bugs. Stefan Hajnoczi (2): vhost: fix vhost_vq_access_ok() log check vhost:

v2: * Rewrote the conditional to make the vq access check clearer [Linus] * Added Patch 2 to make the return type consistent and harder to misuse [Linus] The first patch fixes the vhost virtqueue access check which was recently broken. The second patch replaces the int return type with bool to prevent future bugs. Stefan Hajnoczi (2): vhost: fix vhost_vq_access_ok() log check vhost:

...39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 2b65d9b..c8c25db 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -230,7 +230,7 @@ static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) } /* Caller should have vq mutex and device mutex. */ -static int vq_memory_access_ok(struct vhost_virtqueue *vq, struct vhost_memory *mem, +static int vq_memory_access_ok(void __user *log_base, struct vhost_memory *mem, int log_all) { int i; @@ -242,7...

...39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 2b65d9b..c8c25db 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -230,7 +230,7 @@ static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) } /* Caller should have vq mutex and device mutex. */ -static int vq_memory_access_ok(struct vhost_virtqueue *vq, struct vhost_memory *mem, +static int vq_memory_access_ok(void __user *log_base, struct vhost_memory *mem, int log_all) { int i; @@ -242,7...

v3: * Rebased onto net/master and resolved conflict [DaveM] v2: * Rewrote the conditional to make the vq access check clearer [Linus] * Added Patch 2 to make the return type consistent and harder to misuse [Linus] The first patch fixes the vhost virtqueue access check which was recently broken. The second patch replaces the int return type with bool to prevent future bugs. Stefan Hajnoczi

v3: * Rebased onto net/master and resolved conflict [DaveM] v2: * Rewrote the conditional to make the vq access check clearer [Linus] * Added Patch 2 to make the return type consistent and harder to misuse [Linus] The first patch fixes the vhost virtqueue access check which was recently broken. The second patch replaces the int return type with bool to prevent future bugs. Stefan Hajnoczi

...-git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 93fd0c75b0d8..b6a082ef33dd 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -641,14 +641,14 @@ void vhost_dev_cleanup(struct vhost_dev *dev) } EXPORT_SYMBOL_GPL(vhost_dev_cleanup); -static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) +static bool log_access_ok(void __user *log_base, u64 addr, unsigned long sz) { u64 a = addr / VHOST_PAGE_SIZE / 8; /* Make sure 64 bit math will not overflow. */ if (a > ULONG_MAX - (unsigned long)log_base || a + (unsigned long)log_base > ULONG_MAX...

...-git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index fc805b7fad9d..0fcb51a9940c 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -641,14 +641,14 @@ void vhost_dev_cleanup(struct vhost_dev *dev) } EXPORT_SYMBOL_GPL(vhost_dev_cleanup); -static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) +static bool log_access_ok(void __user *log_base, u64 addr, unsigned long sz) { u64 a = addr / VHOST_PAGE_SIZE / 8; /* Make sure 64 bit math will not overflow. */ if (a > ULONG_MAX - (unsigned long)log_base || a + (unsigned long)log_base > ULONG_MAX...

...9;s OK otherwise it should return 0. Signed-off-by: Dan Carpenter <error27 at gmail.com> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index c2aa12c..f82fe57 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -371,7 +371,7 @@ static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) /* Make sure 64 bit math will not overflow. */ if (a > ULONG_MAX - (unsigned long)log_base || a + (unsigned long)log_base > ULONG_MAX) - return -EFAULT; + return 0; return access_ok(VERIFY_WRITE, log_base + a, (sz + VHOST_PAGE_SIZE * 8 - 1) /...

...9;s OK otherwise it should return 0. Signed-off-by: Dan Carpenter <error27 at gmail.com> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index c2aa12c..f82fe57 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -371,7 +371,7 @@ static int log_access_ok(void __user *log_base, u64 addr, unsigned long sz) /* Make sure 64 bit math will not overflow. */ if (a > ULONG_MAX - (unsigned long)log_base || a + (unsigned long)log_base > ULONG_MAX) - return -EFAULT; + return 0; return access_ok(VERIFY_WRITE, log_base + a, (sz + VHOST_PAGE_SIZE * 8 - 1) /...

...tomic(page); - set_bit(bit, base); - kunmap_atomic(base); + + r = arch_futex_atomic_op_inuser(FUTEX_OP_ADD, 1 << nr, &old, addr); + /* TODO: fallback to kmap() when -ENOSYS? */ + set_page_dirty_lock(page); put_page(page); - return 0; + return r; } -static int log_write(void __user *log_base, +static int log_write(u32 __user *log_base, u64 write_address, u64 write_length) { u64 write_page = write_address / VHOST_PAGE_SIZE; @@ -1726,12 +1727,10 @@ static int log_write(void __user *log_base, return 0; write_length += write_address % VHOST_PAGE_SIZE; for (;;) { - u64 ba...

...tomic(page); - set_bit(bit, base); - kunmap_atomic(base); + + r = arch_futex_atomic_op_inuser(FUTEX_OP_ADD, 1 << nr, &old, addr); + /* TODO: fallback to kmap() when -ENOSYS? */ + set_page_dirty_lock(page); put_page(page); - return 0; + return r; } -static int log_write(void __user *log_base, +static int log_write(u32 __user *log_base, u64 write_address, u64 write_length) { u64 write_page = write_address / VHOST_PAGE_SIZE; @@ -1726,12 +1727,10 @@ static int log_write(void __user *log_base, return 0; write_length += write_address % VHOST_PAGE_SIZE; for (;;) { - u64 ba...

..., total_len))) { > vhost_poll_queue(&vq->poll); > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 55e5aa662ad5..3660310604fd 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1733,11 +1733,67 @@ static int log_write(void __user *log_base, > return r; > } > > +static int log_write_hva(struct vhost_virtqueue *vq, u64 hva, u64 len) > +{ > + struct vhost_umem *umem = vq->umem; > + struct vhost_umem_node *u; > + u64 gpa; > + int r; > + bool hit = false; > + > + list_for_each_entry(u, &umem...

..., total_len))) { > vhost_poll_queue(&vq->poll); > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 55e5aa662ad5..3660310604fd 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -1733,11 +1733,67 @@ static int log_write(void __user *log_base, > return r; > } > > +static int log_write_hva(struct vhost_virtqueue *vq, u64 hva, u64 len) > +{ > + struct vhost_umem *umem = vq->umem; > + struct vhost_umem_node *u; > + u64 gpa; > + int r; > + bool hit = false; > + > + list_for_each_entry(u, &umem...