tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'for-linus-urgent' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fix from Paolo Bonzini:
"Fix missing bounds-checking in coalesced_mmio (CVE-2019-14821)"

* tag 'for-linus-urgent' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: coalesced_mmio: add bounds checking

Linus Torvalds 404e634f 35f7a952

+11 -8
+11 -8
virt/kvm/coalesced_mmio.c
··· 40 40 return 1; 41 41 } 42 42 43 - static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev) 43 + static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last) 44 44 { 45 45 struct kvm_coalesced_mmio_ring *ring; 46 46 unsigned avail; ··· 52 52 * there is always one unused entry in the buffer 53 53 */ 54 54 ring = dev->kvm->coalesced_mmio_ring; 55 - avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX; 55 + avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX; 56 56 if (avail == 0) { 57 57 /* full */ 58 58 return 0; ··· 67 67 { 68 68 struct kvm_coalesced_mmio_dev *dev = to_mmio(this); 69 69 struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring; 70 + __u32 insert; 70 71 71 72 if (!coalesced_mmio_in_range(dev, addr, len)) 72 73 return -EOPNOTSUPP; 73 74 74 75 spin_lock(&dev->kvm->ring_lock); 75 76 76 - if (!coalesced_mmio_has_room(dev)) { 77 + insert = READ_ONCE(ring->last); 78 + if (!coalesced_mmio_has_room(dev, insert) || 79 + insert >= KVM_COALESCED_MMIO_MAX) { 77 80 spin_unlock(&dev->kvm->ring_lock); 78 81 return -EOPNOTSUPP; 79 82 } 80 83 81 84 /* copy data in first free entry of the ring */ 82 85 83 - ring->coalesced_mmio[ring->last].phys_addr = addr; 84 - ring->coalesced_mmio[ring->last].len = len; 85 - memcpy(ring->coalesced_mmio[ring->last].data, val, len); 86 - ring->coalesced_mmio[ring->last].pio = dev->zone.pio; 86 + ring->coalesced_mmio[insert].phys_addr = addr; 87 + ring->coalesced_mmio[insert].len = len; 88 + memcpy(ring->coalesced_mmio[insert].data, val, len); 89 + ring->coalesced_mmio[insert].pio = dev->zone.pio; 87 90 smp_wmb(); 88 - ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX; 91 + ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX; 89 92 spin_unlock(&dev->kvm->ring_lock); 90 93 return 0; 91 94 }