virtio_ring: secure handling of mapping errors

We should not depend on the DMA address, length and flag of descriptor
table since they could be wrote with arbitrary value by the device. So
this patch switches to use the stored one in desc_extra.

Note that the indirect descriptors are fine since they are read-only
streaming mappings.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index f2f4a3b635f3c7f92b222e951af1204cb0aa0b34..00e54115e29b300431c0b58781fa67be42d7b741 100644 (file)
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -1219,13 +1219,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
 unmap_release:
        err_idx = i;
        i = head;
+       curr = vq->free_head;
 
        vq->packed.avail_used_flags = avail_used_flags;
 
        for (n = 0; n < total_sg; n++) {
                if (i == err_idx)
                        break;
-               vring_unmap_desc_packed(vq, &desc[i]);
+               vring_unmap_state_packed(vq,
+                                        &vq->packed.desc_extra[curr]);
+               curr = vq->packed.desc_extra[curr].next;
                i++;
                if (i >= vq->packed.vring.num)
                        i = 0;