From 63651aa98a6f2155daceaa35f659ec6e5b1590b1 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Fri, 4 Jun 2021 13:53:47 +0800 Subject: [PATCH] UPSTREAM: virtio_ring: secure handling of mapping errors We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin (cherry picked from commit 44593865b7c5f55bf587f297c72d682c671eea2b) Bug: 196772804 Signed-off-by: Keir Fraser Change-Id: I55bd78a1c023ef23af553b384ba548ee2797c3cd --- drivers/virtio/virtio_ring.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 4934ee58e0bc..d1cccb14ec39 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -1223,13 +1223,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, unmap_release: err_idx = i; i = head; + curr = vq->free_head; vq->packed.avail_used_flags = avail_used_flags; for (n = 0; n < total_sg; n++) { if (i == err_idx) break; - vring_unmap_desc_packed(vq, &desc[i]); + vring_unmap_state_packed(vq, + &vq->packed.desc_extra[curr]); + curr = vq->packed.desc_extra[curr].next; i++; if (i >= vq->packed.vring.num) i = 0;