[PATCH 4.14 08/53] vfio: Use get_user_pages_longterm correctly

From: Greg Kroah-Hartman
Date: Tue Jul 10 2018 - 14:44:01 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 04/53] scsi: sg: mitigate read/write abuse"
Previous message: Robin Murphy: "[RFC PATCH 0/4] Stop losing firmware-set DMA masks"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 09/53] cifs: Fix use after free of a mid_q_entry"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 04/53] scsi: sg: mitigate read/write abuse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jason Gunthorpe <jgg@xxxxxxxxxxxx>

commit bb94b55af3461e26b32f0e23d455abeae0cfca5d upstream.

The patch noted in the fixes below converted get_user_pages_fast() to
get_user_pages_longterm(), however the two calls differ in a few ways.

First _fast() is documented to not require the mmap_sem, while _longterm()
is documented to need it. Hold the mmap sem as required.

Second, _fast accepts an 'int write' while _longterm uses 'unsigned int
gup_flags', so the expression '!!(prot & IOMMU_WRITE)' is only working by
luck as FOLL_WRITE is currently == 0x1. Use the expected FOLL_WRITE
constant instead.

Fixes: 94db151dc892 ("vfio: disable filesystem-dax page pinning")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxxxx>
Acked-by: Dan Williams <dan.j.williams@xxxxxxxxx>
Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/vfio/vfio_iommu_type1.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -339,18 +339,16 @@ static int vaddr_get_pfn(struct mm_struc
struct page *page[1];
struct vm_area_struct *vma;
struct vm_area_struct *vmas[1];
+ unsigned int flags = 0;
int ret;

+ if (prot & IOMMU_WRITE)
+ flags |= FOLL_WRITE;
+
+ down_read(&mm->mmap_sem);
if (mm == current->mm) {
- ret = get_user_pages_longterm(vaddr, 1, !!(prot & IOMMU_WRITE),
- page, vmas);
+ ret = get_user_pages_longterm(vaddr, 1, flags, page, vmas);
} else {
- unsigned int flags = 0;
-
- if (prot & IOMMU_WRITE)
- flags |= FOLL_WRITE;
-
- down_read(&mm->mmap_sem);
ret = get_user_pages_remote(NULL, mm, vaddr, 1, flags, page,
vmas, NULL);
/*
@@ -364,8 +362,8 @@ static int vaddr_get_pfn(struct mm_struc
ret = -EOPNOTSUPP;
put_page(page[0]);
}
- up_read(&mm->mmap_sem);
}
+ up_read(&mm->mmap_sem);

if (ret == 1) {
*pfn = page_to_pfn(page[0]);

Next message: Greg Kroah-Hartman: "[PATCH 4.14 04/53] scsi: sg: mitigate read/write abuse"
Previous message: Robin Murphy: "[RFC PATCH 0/4] Stop losing firmware-set DMA masks"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 09/53] cifs: Fix use after free of a mid_q_entry"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 04/53] scsi: sg: mitigate read/write abuse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]