Commit f266dd39 authored by Kunkun Jiang's avatar Kunkun Jiang Committed by Zheng Zengkai
Browse files

vfio/iommu: Fix uncorrect type parameters which used in bitmap operations 

virt inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I573P1


CVE: NA

------------------------------

Some parameters in iommu_clear_dirty_log/vfio_iova_dirty_log_clear
have uncorrect type, which used in bitmap operations. In some cases,
it will cause data overflow.

Fixes: bbf3b39e (iommu: Introduce dirty log tracking framework)
Fixes: f1c9b9fa (vfio/iommu_type1: Add support for manual dirty log clear)
Signed-off-by: default avatarKunkun Jiang <jiangkunkun@huawei.com>
Reviewed-by: default avatarKeqian Zhu <zhukeqian1@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 1fdf2dea

drivers/iommu/iommu.c

+3 −4
Original line number Diff line number Diff line
@@ -3142,9 +3142,8 @@ int iommu_clear_dirty_log(struct iommu_domain *domain, 
			  unsigned long bitmap_pgshift)

{

	unsigned long riova, rsize;

	unsigned int min_pagesz;

	unsigned int min_pagesz, rs, re, start, end;

	bool flush = false;

	int rs, re, start, end;

	int ret = 0;



	min_pagesz = 1 << __ffs(domain->pgsize_bitmap);
@@ -3160,8 +3159,8 @@ int iommu_clear_dirty_log(struct iommu_domain *domain, 
	end = start + (size >> bitmap_pgshift);

	bitmap_for_each_set_region(bitmap, rs, re, start, end) {

		flush = true;

		riova = base_iova + (rs << bitmap_pgshift);

		rsize = (re - rs) << bitmap_pgshift;

		riova = base_iova + ((unsigned long)rs << bitmap_pgshift);

		rsize = (unsigned long)(re - rs) << bitmap_pgshift;

		ret = __iommu_clear_dirty_log(domain, riova, rsize, bitmap,

					      base_iova, bitmap_pgshift);

		if (ret)

drivers/vfio/vfio_iommu_type1.c

+2 −2
Original line number Diff line number Diff line
@@ -1096,7 +1096,7 @@ static int vfio_iova_dirty_log_clear(u64 __user *bitmap, 
	unsigned long bitmap_size;

	unsigned long *bitmap_buffer = NULL;

	bool clear_valid;

	int rs, re, start, end, dma_offset;

	unsigned int rs, re, start, end, dma_offset;

	int ret = 0;



	bitmap_size = DIRTY_BITMAP_BYTES(size >> pgshift);
@@ -1128,7 +1128,7 @@ static int vfio_iova_dirty_log_clear(u64 __user *bitmap, 
		end = (end_iova - iova) >> pgshift;

		bitmap_for_each_set_region(bitmap_buffer, rs, re, start, end) {

			clear_valid = true;

			riova = iova + (rs << pgshift);

			riova = iova + ((unsigned long)rs << pgshift);

			dma_offset = (riova - dma->iova) >> pgshift;

			bitmap_clear(dma->bitmap, dma_offset, re - rs);

		}