VFIO fixes for v5.7-rc4

- copy_*_user validity check for new vfio_dma_rw interface (Yan Zhao) - Fix a potential math overflow (Yan Zhao) - Use follow_pfn() for calculating PFNMAPs (Sean Christopherson) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAABAgAGBQJerJjWAAoJECObm247sIsiznwQAIQZomwMfN5lj1Wf5PNCOpVk T9gSl9ctbzu/hjOo24NLGUw/yUG7tBVjj08IH7pNTk8Yo2dew2l2bcei1tdxX8SB 2tRqb6tZvrZplW6WAmrakQubx/oawsHgmcMwxDXatvsbpXopKdSaNfqY8UZZc4kv c2QYpIgDyoHZmwkHE9OL/WUyXXHpVT12SwWXy+kXuhV6yXMLIREWlC+L574CnzXz VvaIBgS9j9LEL8/4a1sU2HcwarFANrnmHF5+Bl3Fk5fjGF+LJRXgdNil3ppgfsVv iQJ3vZ8YCES2q+rYblk374qerXtK5fh1dYh4XyOUbzkDfk9/8EsAqrUZzF64BqwN ejThC2IvUWVCD8umZ4DiVvIm9+rBqG0Pvjq4QrGW4ULEFhGeifGrxP2BBs+8XwUZ mLRJ6kubcXxBdfgkwfGYFbFWI/gB+1QZLqSsy3uFX0WkIYYMLIDgssvJZ0EEJrYE wdWolU+h9ufboNe6v2gGfOW8I5VihFfffkDSAgIWi0pa9KTuO+s8yf8U5jtc88Rd ekTZixRGs+J75AXOdSjuPT2UGgtlggJkOmZiiDR4Hx6MpLZSwaivN2adXGSfdM80 pCYiexxorKd7G7DTce7AC9xVms7drVYjIACi8ip63BDYiBzxr/sATJHP70YFPYdl 8fSO9wDTrcRfGvTcumeE =L+OC -----END PGP SIGNATURE----- Merge tag 'vfio-v5.7-rc4' of git://github.com/awilliam/linux-vfio Pull VFIO fixes from Alex Williamson: - copy_*_user validity check for new vfio_dma_rw interface (Yan Zhao) - Fix a potential math overflow (Yan Zhao) - Use follow_pfn() for calculating PFNMAPs (Sean Christopherson) * tag 'vfio-v5.7-rc4' of git://github.com/awilliam/linux-vfio: vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() vfio: avoid possible overflow in vfio_iommu_type1_pin_pages vfio: checking of validity of user vaddr in vfio_dma_rw
2020-05-01 17:19:15 -07:00 · 2020-05-01 17:19:15 -07:00 · 690e2aba7b
commit 690e2aba7b
parent 42eb62d417 5cbf3264bc
1 changed files with 5 additions and 5 deletions
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@ -342,8 +342,8 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
 	vma = find_vma_intersection(mm, vaddr, vaddr + 1);

 	if (vma && vma->vm_flags & VM_PFNMAP) {
-		*pfn = ((vaddr - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
-		if (is_invalid_reserved_pfn(*pfn))
+		if (!follow_pfn(vma, vaddr, pfn) &&
+		    is_invalid_reserved_pfn(*pfn))
 			ret = 0;
 	}
 done:
@ -555,7 +555,7 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
 			continue;
 		}

-		remote_vaddr = dma->vaddr + iova - dma->iova;
+		remote_vaddr = dma->vaddr + (iova - dma->iova);
 		ret = vfio_pin_page_external(dma, remote_vaddr, &phys_pfn[i],
 					     do_accounting);
 		if (ret)
@ -2345,10 +2345,10 @@ static int vfio_iommu_type1_dma_rw_chunk(struct vfio_iommu *iommu,
 	vaddr = dma->vaddr + offset;

 	if (write)
-		*copied = __copy_to_user((void __user *)vaddr, data,
+		*copied = copy_to_user((void __user *)vaddr, data,
 					 count) ? 0 : count;
 	else
-		*copied = __copy_from_user(data, (void __user *)vaddr,
+		*copied = copy_from_user(data, (void __user *)vaddr,
 					   count) ? 0 : count;
 	if (kthread)
 		unuse_mm(mm);