summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason Wang <jasowang@redhat.com>2021-06-04 07:53:47 +0200
committerMichael S. Tsirkin <mst@redhat.com>2021-07-08 13:49:01 +0200
commit44593865b7c5f55bf587f297c72d682c671eea2b (patch)
tree591ca6616d1dd5472fb3f6d1f8416fa1345e9eb5
parentvirtio-ring: factor out desc_extra allocation (diff)
downloadlinux-44593865b7c5f55bf587f297c72d682c671eea2b.tar.xz
linux-44593865b7c5f55bf587f297c72d682c671eea2b.zip
virtio_ring: secure handling of mapping errors
We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-rw-r--r--drivers/virtio/virtio_ring.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index f2f4a3b635f3..00e54115e29b 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -1219,13 +1219,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
unmap_release:
err_idx = i;
i = head;
+ curr = vq->free_head;
vq->packed.avail_used_flags = avail_used_flags;
for (n = 0; n < total_sg; n++) {
if (i == err_idx)
break;
- vring_unmap_desc_packed(vq, &desc[i]);
+ vring_unmap_state_packed(vq,
+ &vq->packed.desc_extra[curr]);
+ curr = vq->packed.desc_extra[curr].next;
i++;
if (i >= vq->packed.vring.num)
i = 0;