virtio,vdpa: bugfixes

Misc bugfixes. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -----BEGIN PGP SIGNATURE----- iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmGxGLEPHG1zdEByZWRo YXQuY29tAAoJECgfDbjSjVRpPWsIALBdp+6ZQEzQXOpqiHGqDenaXZkUkcdzjvgC 2jtbxHu9+iZOmzLgtrKK6T9ky7gewucqhax80lvN+5wzZK/siVtmidJCi+f8MihN g2ePnOk5LC3KAetCNBMYlRlrLQuH8raLuec3CroJLIfmZEx2rPNbp/CmXfj7BBlc XcEjP3pvsJehVY7Em/EbTOQhln/fOzHXjimqM7vx+CJQ7Vuvwwm60UvlpwJhPaVk c8n4rYrddYQaLPpQvedhO3xGQ1fHSx94iA4QmMRB9Q6oeNPJ+I9eQsm+na8cAnga WePmcJqIiB9NnE67otr8Z2nOboX9x79DgVxCNzwuclH6qoVzJeM= =jIiu -----END PGP SIGNATURE----- Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "Misc virtio and vdpa bugfixes" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vdpa: Consider device id larger than 31 virtio/vsock: fix the transport to work with VMADDR_CID_ANY virtio_ring: Fix querying of maximum DMA mapping size for virtio device virtio: always enter drivers/virtio/ vduse: check that offset is within bounds in get_config() vdpa: check that offsets are within bounds vduse: fix memory corruption in vduse_dev_ioctl()
2021-12-13 14:34:22 -08:00 · 2021-12-13 14:34:22 -08:00 · 5472f14a37
parent aa50faff44 bb47620be3
commit 5472f14a37
6 changed files with 11 additions and 8 deletions
--- a/drivers/Makefile
+++ b/drivers/Makefile
@ -41,8 +41,7 @@ obj-$(CONFIG_DMADEVICES)	+= dma/
 # SOC specific infrastructure drivers.
 obj-y				+= soc/

-obj-$(CONFIG_VIRTIO)		+= virtio/
-obj-$(CONFIG_VIRTIO_PCI_LIB)	+= virtio/
+obj-y				+= virtio/
 obj-$(CONFIG_VDPA)		+= vdpa/
 obj-$(CONFIG_XEN)		+= xen/

--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@ -404,7 +404,8 @@ static int vdpa_mgmtdev_fill(const struct vdpa_mgmt_dev *mdev, struct sk_buff *m
 		goto msg_err;

 	while (mdev->id_table[i].device) {
-		supported_classes |= BIT(mdev->id_table[i].device);
+		if (mdev->id_table[i].device <= 63)
+			supported_classes |= BIT_ULL(mdev->id_table[i].device);
 		i++;
 	}

--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@ -655,7 +655,8 @@ static void vduse_vdpa_get_config(struct vdpa_device *vdpa, unsigned int offset,
 {
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);

-	if (len > dev->config_size - offset)
+	if (offset > dev->config_size ||
+	    len > dev->config_size - offset)
 		return;

 	memcpy(buf, dev->config + offset, len);
@ -975,7 +976,8 @@ static long vduse_dev_ioctl(struct file *file, unsigned int cmd,
 			break;

 		ret = -EINVAL;
-		if (config.length == 0 ||
+		if (config.offset > dev->config_size ||
+		    config.length == 0 ||
 		    config.length > dev->config_size - config.offset)
 			break;

--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@ -197,7 +197,7 @@ static int vhost_vdpa_config_validate(struct vhost_vdpa *v,
 	struct vdpa_device *vdpa = v->vdpa;
 	long size = vdpa->config->get_config_size(vdpa);

-	if (c->len == 0)
+	if (c->len == 0 || c->off > size)
 		return -EINVAL;

 	if (c->len > size - c->off)
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@ -268,7 +268,7 @@ size_t virtio_max_dma_size(struct virtio_device *vdev)
 	size_t max_segment_size = SIZE_MAX;

 	if (vring_use_dma_api(vdev))
-		max_segment_size = dma_max_mapping_size(&vdev->dev);
+		max_segment_size = dma_max_mapping_size(vdev->dev.parent);

 	return max_segment_size;
 }
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@ -1299,7 +1299,8 @@ void virtio_transport_recv_pkt(struct virtio_transport *t,
 	space_available = virtio_transport_space_update(sk, pkt);

 	/* Update CID in case it has changed after a transport reset event */
-	vsk->local_addr.svm_cid = dst.svm_cid;
+	if (vsk->local_addr.svm_cid != VMADDR_CID_ANY)
+		vsk->local_addr.svm_cid = dst.svm_cid;

 	if (space_available)
 		sk->sk_write_space(sk);