From: Jason Wang <jasowang@redhat.com>
Date: Fri, 4 Jun 2021 05:53:47 +0000 (+0800)
Subject: virtio_ring: secure handling of mapping errors
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=44593865b7c5f55bf587f297c72d682c671eea2b;p=linux.git

virtio_ring: secure handling of mapping errors

We should not depend on the DMA address, length and flag of descriptor
table since they could be wrote with arbitrary value by the device. So
this patch switches to use the stored one in desc_extra.

Note that the indirect descriptors are fine since they are read-only
streaming mappings.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index f2f4a3b635f3c..00e54115e29b3 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -1219,13 +1219,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
 unmap_release:
 	err_idx = i;
 	i = head;
+	curr = vq->free_head;
 
 	vq->packed.avail_used_flags = avail_used_flags;
 
 	for (n = 0; n < total_sg; n++) {
 		if (i == err_idx)
 			break;
-		vring_unmap_desc_packed(vq, &desc[i]);
+		vring_unmap_state_packed(vq,
+					 &vq->packed.desc_extra[curr]);
+		curr = vq->packed.desc_extra[curr].next;
 		i++;
 		if (i >= vq->packed.vring.num)
 			i = 0;