From nobody Tue May 21 01:20:35 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1601397182; cv=none; d=zohomail.com; s=zohoarc; b=kEMecLVfO66l+uRXdRpDv7Pguvqui8V5ugBZ3TlMr9opHiBLoOt+KHREiZBdHtWnp1L2k5YnxLNLNbZVcAGuOZnv+1dyBSyNj4v08lBs8yazErTFHLKuffuQFUQ0kTrauhFDa87RBpxz9KwhjsYdOquPf5M4lZSaoCwv2CMLey8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1601397182; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=RKzyBkyBAmgN043mHX4Mn6YKX46glCo9Teu4c1/WQrc=; b=TZZA+3kKm9lHIbpI7K8DgpGrLc3Op7zULmgEdoWOi8aVrRCSphzN1WJ/s/ah/4AYQodhVd0W2GkiGknwmsyrprW5IZczi7rDpNURO17DvlcPSRi5ymcG5oRDfhByKBGLNYuu5eP/iwfZVaPczPwj+6V+aHkoihXrO3Web/fi+MM= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1601397182980772.5469213670534; Tue, 29 Sep 2020 09:33:02 -0700 (PDT) Received: from localhost ([::1]:50228 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kNIYn-0004Ym-JU for importer@patchew.org; Tue, 29 Sep 2020 12:33:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60886) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kNIWf-00032G-JQ for qemu-devel@nongnu.org; Tue, 29 Sep 2020 12:30:49 -0400 Received: from us-smtp-delivery-44.mimecast.com ([205.139.111.44]:26094) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kNIWd-0003rG-T4 for qemu-devel@nongnu.org; Tue, 29 Sep 2020 12:30:49 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-548-UAgx4p3ZO8Cuph8SrrIi3Q-1; Tue, 29 Sep 2020 12:30:40 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F32741882FD8; Tue, 29 Sep 2020 16:30:38 +0000 (UTC) Received: from bahia.lan (ovpn-113-41.ams2.redhat.com [10.36.113.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id A0EBD7EB7C; Tue, 29 Sep 2020 16:30:32 +0000 (UTC) X-MC-Unique: UAgx4p3ZO8Cuph8SrrIi3Q-1 Subject: [PATCH v2 1/2] vhost: Don't call access_ok() when using IOTLB From: Greg Kurz To: "Michael S. Tsirkin" , Jason Wang Date: Tue, 29 Sep 2020 18:30:31 +0200 Message-ID: <160139703153.162128.16860679176471296230.stgit@bahia.lan> In-Reply-To: <160139701999.162128.2399875915342200263.stgit@bahia.lan> References: <160139701999.162128.2399875915342200263.stgit@bahia.lan> User-Agent: StGit/0.21 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=groug@kaod.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: kaod.org Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: softfail client-ip=205.139.111.44; envelope-from=groug@kaod.org; helo=us-smtp-delivery-44.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/29 12:30:46 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kvm@vger.kernel.org, netdev@vger.kernel.org, Laurent Vivier , qemu-devel@nongnu.org, virtualization@lists.linux-foundation.org, David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" When the IOTLB device is enabled, the vring addresses we get from userspace are GIOVAs. It is thus wrong to pass them down to access_ok() which only takes HVAs. Access validation is done at prefetch time with IOTLB. Teach vq_access_ok() about that by moving the (vq->iotlb) check from vhost_vq_access_ok() to vq_access_ok(). This prevents vhost_vring_set_addr() to fail when verifying the accesses. No behavior change for vhost_vq_access_ok(). BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=3D1883084 Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API") Cc: jasowang@redhat.com CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Greg Kurz Acked-by: Jason Wang --- drivers/vhost/vhost.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index b45519ca66a7..c3b49975dc28 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1290,6 +1290,11 @@ static bool vq_access_ok(struct vhost_virtqueue *vq,= unsigned int num, vring_used_t __user *used) =20 { + /* If an IOTLB device is present, the vring addresses are + * GIOVAs. Access validation occurs at prefetch time. */ + if (vq->iotlb) + return true; + return access_ok(desc, vhost_get_desc_size(vq, num)) && access_ok(avail, vhost_get_avail_size(vq, num)) && access_ok(used, vhost_get_used_size(vq, num)); @@ -1383,10 +1388,6 @@ bool vhost_vq_access_ok(struct vhost_virtqueue *vq) if (!vq_log_access_ok(vq, vq->log_base)) return false; =20 - /* Access validation occurs at prefetch time with IOTLB */ - if (vq->iotlb) - return true; - return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used); } EXPORT_SYMBOL_GPL(vhost_vq_access_ok); From nobody Tue May 21 01:20:35 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1601397288; cv=none; d=zohomail.com; s=zohoarc; b=R8qzB5Zvl7Y2+ZUvFlYNQdkKI3ov9blaHtE6CWmDJ4RGIHmLheNmCTS6RgSK/4cwtLyWxLVC/s+2p6IMLNjtSYsAfEnaGYiYZfyx97iTMvE5Y5Ku3Kq2ptOXzZT5tgiJIbLNpj/g2yZAPHRHjGlKQPnSq1aD+0bGEnnPYFq/P0I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1601397288; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=13piMrmDEEzkgI8FtwN/8XWti80EfhKWtqBa8mUbllk=; b=Yhl9LqUkq7loCOTzfbi+q8dBSClHxPOGxTIwqZZwL8MjjKPzRgo8NIgwkPeaxc4BjS8YP3cBxh4KZ4TKEAQg8Yd52cTbljRlU4BjS7jSNsi/0hhVgBeB7oVwxeoN9PkRoWc9u3WMBDIzHOQ6POlvzhvgKGfMsUEmI4jNfcF2+yY= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1601397288118498.89635866281355; Tue, 29 Sep 2020 09:34:48 -0700 (PDT) Received: from localhost ([::1]:53534 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kNIaU-00063J-L4 for importer@patchew.org; Tue, 29 Sep 2020 12:34:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60950) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kNIWo-00039P-Fb for qemu-devel@nongnu.org; Tue, 29 Sep 2020 12:30:58 -0400 Received: from us-smtp-delivery-44.mimecast.com ([207.211.30.44]:57147) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kNIWm-0003x8-TU for qemu-devel@nongnu.org; Tue, 29 Sep 2020 12:30:58 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-427-I2UtjzlUPB67qVbSA7NVdQ-1; Tue, 29 Sep 2020 12:30:51 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 446DD188C127; Tue, 29 Sep 2020 16:30:50 +0000 (UTC) Received: from bahia.lan (ovpn-113-41.ams2.redhat.com [10.36.113.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4D4125D9CA; Tue, 29 Sep 2020 16:30:45 +0000 (UTC) X-MC-Unique: I2UtjzlUPB67qVbSA7NVdQ-1 Subject: [PATCH v2 2/2] vhost: Don't call log_access_ok() when using IOTLB From: Greg Kurz To: "Michael S. Tsirkin" , Jason Wang Date: Tue, 29 Sep 2020 18:30:44 +0200 Message-ID: <160139704424.162128.7839027287942194310.stgit@bahia.lan> In-Reply-To: <160139701999.162128.2399875915342200263.stgit@bahia.lan> References: <160139701999.162128.2399875915342200263.stgit@bahia.lan> User-Agent: StGit/0.21 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=groug@kaod.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: kaod.org Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: softfail client-ip=207.211.30.44; envelope-from=groug@kaod.org; helo=us-smtp-delivery-44.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/29 12:30:32 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kvm@vger.kernel.org, netdev@vger.kernel.org, Laurent Vivier , qemu-devel@nongnu.org, virtualization@lists.linux-foundation.org, David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" When the IOTLB device is enabled, the log_guest_addr that is passed by userspace to the VHOST_SET_VRING_ADDR ioctl, and which is then written to vq->log_addr, is a GIOVA. All writes to this address are translated by log_user() to writes to an HVA, and then ultimately logged through the corresponding GPAs in log_write_hva(). No logging will ever occur with vq->log_addr in this case. It is thus wrong to pass vq->log_addr and log_guest_addr to log_access_vq() which assumes they are actual GPAs. Introduce a new vq_log_used_access_ok() helper that only checks accesses to the log for the used structure when there isn't an IOTLB device around. Signed-off-by: Greg Kurz --- drivers/vhost/vhost.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index c3b49975dc28..5996e32fa818 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1370,6 +1370,20 @@ bool vhost_log_access_ok(struct vhost_dev *dev) } EXPORT_SYMBOL_GPL(vhost_log_access_ok); =20 +static bool vq_log_used_access_ok(struct vhost_virtqueue *vq, + void __user *log_base, + bool log_used, + u64 log_addr, + size_t log_size) +{ + /* If an IOTLB device is present, log_addr is a GIOVA that + * will never be logged by log_used(). */ + if (vq->iotlb) + return true; + + return !log_used || log_access_ok(log_base, log_addr, log_size); +} + /* Verify access for write logging. */ /* Caller should have vq mutex and device mutex */ static bool vq_log_access_ok(struct vhost_virtqueue *vq, @@ -1377,8 +1391,8 @@ static bool vq_log_access_ok(struct vhost_virtqueue *= vq, { return vq_memory_access_ok(log_base, vq->umem, vhost_has_feature(vq, VHOST_F_LOG_ALL)) && - (!vq->log_used || log_access_ok(log_base, vq->log_addr, - vhost_get_used_size(vq, vq->num))); + vq_log_used_access_ok(vq, log_base, vq->log_used, vq->log_addr, + vhost_get_used_size(vq, vq->num)); } =20 /* Can we start vq? */ @@ -1517,8 +1531,9 @@ static long vhost_vring_set_addr(struct vhost_dev *d, return -EINVAL; =20 /* Also validate log access for used ring if enabled. */ - if ((a.flags & (0x1 << VHOST_VRING_F_LOG)) && - !log_access_ok(vq->log_base, a.log_guest_addr, + if (!vq_log_used_access_ok(vq, vq->log_base, + a.flags & (0x1 << VHOST_VRING_F_LOG), + a.log_guest_addr, sizeof *vq->used + vq->num * sizeof *vq->used->ring)) return -EINVAL;