kernel/linux.git/samples/vfio-mdev, branch v4.19.181Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v4.19.1812020-04-29T14:31:27+00:00vmalloc: fix remap_vmalloc_range() bounds checks2020-04-29T14:31:27+00:00Jann Hornjannh@google.com2020-04-21T01:14:11+00:00urn:sha1:d8da38eafa38b03c741aa63f688e5a77343a77be
commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream.
remap_vmalloc_range() has had various issues with the bounds checks it
promises to perform ("This function checks that addr is a valid
vmalloc'ed area, and that it is big enough to cover the vma") over time,
e.g.:
- not detecting pgoff<<PAGE_SHIFT overflow
- not detecting (pgoff<<PAGE_SHIFT)+usize overflow
- not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same
vmalloc allocation
- comparing a potentially wildly out-of-bounds pointer with the end of
the vmalloc region
In particular, since commit fc9702273e2e ("bpf: Add mmap() support for
BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer
dereferences by calling mmap() on a BPF map with a size that is bigger
than the distance from the start of the BPF map to the end of the
address space.
This could theoretically be used as a kernel ASLR bypass, by using
whether mmap() with a given offset oopses or returns an error code to
perform a binary search over the possible address range.
To allow remap_vmalloc_range_partial() to verify that addr and
addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset
to remap_vmalloc_range_partial() instead of adding it to the pointer in
remap_vmalloc_range().
In remap_vmalloc_range_partial(), fix the check against
get_vm_area_size() by using size comparisons instead of pointer
comparisons, and add checks for pgoff.
Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@chromium.org>
Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
vfio-mdev/samples: Use u8 instead of char for handle functions2019-12-05T08:20:28+00:00Nathan Chancellornatechancellor@gmail.com2018-10-19T18:04:27+00:00urn:sha1:005874c5170e70c92010a23d766f76f721ae52ba
[ Upstream commit 8ba35b3a0046d6573c98f00461d9bd1b86250d35 ]
Clang warns:
samples/vfio-mdev/mtty.c:592:39: warning: implicit conversion from 'int'
to 'char' changes value from 162 to -94 [-Wconstant-conversion]
*buf = UART_MSR_DSR | UART_MSR_DDSR | UART_MSR_DCD;
~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
1 warning generated.
Turns out that all uses of buf in this function ultimately end up stored
or cast to an unsigned type. Just use u8, which has the same number of
bits but can store this larger number so Clang no longer warns.
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
sample: vfio-mdev: avoid deadlock in mdev_access()2018-07-11T19:22:41+00:00Alexey Khoroshilovkhoroshilov@ispras.ru2018-07-06T20:50:06+00:00urn:sha1:498e8bf51c633cc4496343e6113f340f8e9301ae
mdev_access() calls mbochs_get_page() with mdev_state->ops_lock held,
while mbochs_get_page() locks the mutex by itself.
It leads to unavoidable deadlock.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
sample/vfio-mdev: Change return type to vm_fault_t2018-07-04T16:42:04+00:00Souptick Joarderjrdr.linux@gmail.com2018-07-04T15:30:14+00:00urn:sha1:d7ef4899d7182f9d4267b4e4a5cc3689c1a04f25
convert mbochs_region_vm_fault and mbochs_dmabuf_vm_fault
to return vm_fault_t type.
Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
sample/mdev/mbochs: add mbochs_kunmap_dmabuf2018-06-26T06:27:23+00:00Gerd Hoffmannkraxel@redhat.com2018-06-25T06:44:52+00:00urn:sha1:7733e05b34f5d855c5590d816b41ddfee972d188
There is no default implementation for dma_buf_ops->unmap.
So add a function unmapping the page, otherwise we'll leak them.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
sample/mdev/mbochs: remove mbochs_kmap_atomic_dmabuf2018-06-26T06:27:22+00:00Gerd Hoffmannkraxel@redhat.com2018-06-25T06:44:51+00:00urn:sha1:2203d8a76ea3b962559acfe3bb80eddfdfbc9cee
Atomic mapping interface for dmabufs will be removed.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
sample: vfio bochs vbe display (host device for bochs-drm)2018-06-08T16:24:16+00:00Gerd Hoffmannkraxel@redhat.com2018-05-11T15:05:04+00:00urn:sha1:a5e6e6505f38f7bce1d3576503a2bffff3fa888c
Display device, demo-ing the vfio dmabuf display interface
(VFIO_GFX_PLANE_TYPE_DMABUF). Compatible enough to qemu stdvga
that bochs-drm.ko can be used as guest driver.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
sample: vfio mdev display - guest driver2018-06-08T16:24:13+00:00Gerd Hoffmannkraxel@redhat.com2018-05-11T15:05:04+00:00urn:sha1:cacade1946a41b38dcdf3defb0f931453587eac9
Guest fbdev driver for CONFIG_SAMPLE_VFIO_MDEV_MDPY.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
sample: vfio mdev display - host device2018-06-08T16:24:09+00:00Gerd Hoffmannkraxel@redhat.com2018-05-11T15:05:03+00:00urn:sha1:d61fc96f47fdac1f031ed4eafa9106fe10cdaa37
Simple framebuffer display, demo-ing the vfio region display interface
(VFIO_GFX_PLANE_TYPE_REGION).
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
vfio-mdev/samples: change RDI interrupt condition2018-03-22T19:18:18+00:00Shunyong Yangshunyong.yang@hxt-semitech.com2018-03-21T18:46:23+00:00urn:sha1:c9f89c3f87cfc026d88c08054710902dd52a7772
When FIFO mode is enabled, the receive data available interrupt
(UART_IIR_RDI in code) should be triggered when the number of data
in FIFO is equal or larger than interrupt trigger level.
This patch changes the trigger level check to ensure multiple bytes
received from upper layer can trigger RDI interrupt correctly.
Cc: Joey Zheng <yu.zheng@hxt-semitech.com>
Signed-off-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
Reviewed by: Kirti Wankhede <kwankhede@nvidia.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>