VFIO fixes for v5.1-rc4

- Fix clang printk format errors (Louis Taylor) - Declare structure static to fix sparse warning (Wang Hai) - Limit user DMA mappings per container (CVE-2019-3882) (Alex Williamson) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAABAgAGBQJcp2hGAAoJECObm247sIsiccMP/RHCnR2s30uvhiRnWXCtjYuB KsaCfbS6JMI+vmeIV995deVlxVCWKblKIfwlW3fQ+vzljwRBe17MFhAj93aG9qmo BG3TVsSntz4FvlvzQbJjkF3LLENrTfw6bMskp+0gHVA3pX6g92NvEZGpBlXZo0+I 41LkEBMYLZV3PaXRUa/QOwQqp6ootTwQUX3a75I1zzkQqpeypu5/MkRV+0/HRxYc q+jhGIlUVc7sFwH5Ggn8uTM0tuAOIpZfMEJcI64DX2BE6eBppR6lChZGIgFNF3DB YVRg5inyZmdi87QgkRXWqQ/6PDDqfNPMlKWZntAWCGbEzYsIsGLYjxPoOgSDsO7l Ud1Cgn8KF65n48vBiW68SPUMijVOYxaKE0dUhxhhcMdlz8lOpMeZ5B748Izswi08 roKAZkMGyAbvbuAuUIQkAbSMRNlcAi7JMH3mE3XnyeEVzZtyMjtBX1oLl//0JFi9 qdR3E7hJTbOZ/3tjNx718INkZ7xj44s+n7trs8PepEHxP42o9Mr3zpm0ETEgzaNI r8k4ViiztqMQeAYYfIugcr+F7a41E4xhyLShi/sxJZ0xo5i7v4hAZ2LoDcpRz4kd EuWEnkzIH2+3DH2UJuW4TzLhPoW3Y9Q04OmoJ+/8sdxBVjYZGwppaf/zGW2RSWkh VmMxOKc4TZsxLkSH2L+I =j6NB -----END PGP SIGNATURE----- Merge tag 'vfio-v5.1-rc4' of git://github.com/awilliam/linux-vfio Pull VFIO fixes from Alex Williamson: - Fix clang printk format errors (Louis Taylor) - Declare structure static to fix sparse warning (Wang Hai) - Limit user DMA mappings per container (CVE-2019-3882) (Alex Williamson) * tag 'vfio-v5.1-rc4' of git://github.com/awilliam/linux-vfio: vfio/type1: Limit DMA mappings per container vfio/spapr_tce: Make symbol 'tce_iommu_driver_ops' static vfio/pci: use correct format characters
2019-04-05 15:07:28 -10:00 · 2019-04-05 15:07:28 -10:00 · 3e28fb0fcb
commit 3e28fb0fcb
parent bc5725f974 492855939b
3 changed files with 17 additions and 3 deletions
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@ -1661,11 +1661,11 @@ static void __init vfio_pci_fill_ids(void)
 		rc = pci_add_dynid(&vfio_pci_driver, vendor, device,
 				   subvendor, subdevice, class, class_mask, 0);
 		if (rc)
-			pr_warn("failed to add dynamic id [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x (%d)\n",
+			pr_warn("failed to add dynamic id [%04x:%04x[%04x:%04x]] class %#08x/%08x (%d)\n",
 				vendor, device, subvendor, subdevice,
 				class, class_mask, rc);
 		else
-			pr_info("add [%04hx:%04hx[%04hx:%04hx]] class %#08x/%08x\n",
+			pr_info("add [%04x:%04x[%04x:%04x]] class %#08x/%08x\n",
 				vendor, device, subvendor, subdevice,
 				class, class_mask);
 	}
--- a/drivers/vfio/vfio_iommu_spapr_tce.c
+++ b/drivers/vfio/vfio_iommu_spapr_tce.c
@ -1398,7 +1398,7 @@ unlock_exit:
 	mutex_unlock(&container->lock);
 }

-const struct vfio_iommu_driver_ops tce_iommu_driver_ops = {
+static const struct vfio_iommu_driver_ops tce_iommu_driver_ops = {
 	.name		= "iommu-vfio-powerpc",
 	.owner		= THIS_MODULE,
 	.open		= tce_iommu_open,
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@ -58,12 +58,18 @@ module_param_named(disable_hugepages,
 MODULE_PARM_DESC(disable_hugepages,
 		 "Disable VFIO IOMMU support for IOMMU hugepages.");

+static unsigned int dma_entry_limit __read_mostly = U16_MAX;
+module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644);
+MODULE_PARM_DESC(dma_entry_limit,
+		 "Maximum number of user DMA mappings per container (65535).");
+
 struct vfio_iommu {
 	struct list_head	domain_list;
 	struct vfio_domain	*external_domain; /* domain for external user */
 	struct mutex		lock;
 	struct rb_root		dma_list;
 	struct blocking_notifier_head notifier;
+	unsigned int		dma_avail;
 	bool			v2;
 	bool			nesting;
 };
@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
 	vfio_unlink_dma(iommu, dma);
 	put_task_struct(dma->task);
 	kfree(dma);
+	iommu->dma_avail++;
 }

 static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)
@ -1081,12 +1088,18 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 		goto out_unlock;
 	}

+	if (!iommu->dma_avail) {
+		ret = -ENOSPC;
+		goto out_unlock;
+	}
+
 	dma = kzalloc(sizeof(*dma), GFP_KERNEL);
 	if (!dma) {
 		ret = -ENOMEM;
 		goto out_unlock;
 	}

+	iommu->dma_avail--;
 	dma->iova = iova;
 	dma->vaddr = vaddr;
 	dma->prot = prot;
@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsigned long arg)

 	INIT_LIST_HEAD(&iommu->domain_list);
 	iommu->dma_list = RB_ROOT;
+	iommu->dma_avail = dma_entry_limit;
 	mutex_init(&iommu->lock);
 	BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);