bf42daed6b
If I attach a vfio-ccw device to my guest, I get the following warning on the host when the host kernel is CONFIG_HARDENED_USERCOPY=y [250757.595325] Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected to SLUB object 'dma-kmalloc-512' (offset 64, size 124)! [250757.595365] WARNING: CPU: 2 PID: 10958 at mm/usercopy.c:81 usercopy_warn+0xac/0xd8 [250757.595369] Modules linked in: kvm vhost_net vhost tap xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c devlink tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables sunrpc dm_multipath s390_trng crc32_vx_s390 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha1_s390 eadm_sch tape_3590 tape tape_class qeth_l2 qeth ccwgroup vfio_ccw vfio_mdev zcrypt_cex4 mdev vfio_iommu_type1 zcrypt vfio sha256_s390 sha_common zfcp scsi_transport_fc qdio dasd_eckd_mod dasd_mod [250757.595424] CPU: 2 PID: 10958 Comm: CPU 2/KVM Not tainted 4.18.0-derp #2 [250757.595426] Hardware name: IBM 3906 M05 780 (LPAR) ...snip regs... [250757.595523] Call Trace: [250757.595529] ([<0000000000349210>] usercopy_warn+0xa8/0xd8) [250757.595535] [<000000000032daaa>] __check_heap_object+0xfa/0x160 [250757.595540] [<0000000000349396>] __check_object_size+0x156/0x1d0 [250757.595547] [<000003ff80332d04>] vfio_ccw_mdev_write+0x74/0x148 [vfio_ccw] [250757.595552] [<000000000034ed12>] __vfs_write+0x3a/0x188 [250757.595556] [<000000000034f040>] vfs_write+0xa8/0x1b8 [250757.595559] [<000000000034f4e6>] ksys_pwrite64+0x86/0xc0 [250757.595568] [<00000000008959a0>] system_call+0xdc/0x2b0 [250757.595570] Last Breaking-Event-Address: [250757.595573] [<0000000000349210>] usercopy_warn+0xa8/0xd8 While vfio_ccw_mdev_{write|read} validates that the input position/count does not run over the ccw_io_region struct, the usercopy code that does copy_{to|from}_user doesn't necessarily know this. It sees the variable length and gets worried that it's affecting a normal kmalloc'd struct, and generates the above warning. Adjust how the ccw_io_region is alloc'd with a whitelist to remove this warning. The boundary checking will continue to do its thing. Signed-off-by: Eric Farman <farman@linux.ibm.com> Message-Id: <20180921204013.95804-3-farman@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com>
277 lines
6.2 KiB
C
277 lines
6.2 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* VFIO based Physical Subchannel device driver
|
|
*
|
|
* Copyright IBM Corp. 2017
|
|
*
|
|
* Author(s): Dong Jia Shi <bjsdjshi@linux.vnet.ibm.com>
|
|
* Xiao Feng Ren <renxiaof@linux.vnet.ibm.com>
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/init.h>
|
|
#include <linux/device.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/uuid.h>
|
|
#include <linux/mdev.h>
|
|
|
|
#include <asm/isc.h>
|
|
|
|
#include "ioasm.h"
|
|
#include "css.h"
|
|
#include "vfio_ccw_private.h"
|
|
|
|
struct workqueue_struct *vfio_ccw_work_q;
|
|
struct kmem_cache *vfio_ccw_io_region;
|
|
|
|
/*
|
|
* Helpers
|
|
*/
|
|
int vfio_ccw_sch_quiesce(struct subchannel *sch)
|
|
{
|
|
struct vfio_ccw_private *private = dev_get_drvdata(&sch->dev);
|
|
DECLARE_COMPLETION_ONSTACK(completion);
|
|
int iretry, ret = 0;
|
|
|
|
spin_lock_irq(sch->lock);
|
|
if (!sch->schib.pmcw.ena)
|
|
goto out_unlock;
|
|
ret = cio_disable_subchannel(sch);
|
|
if (ret != -EBUSY)
|
|
goto out_unlock;
|
|
|
|
do {
|
|
iretry = 255;
|
|
|
|
ret = cio_cancel_halt_clear(sch, &iretry);
|
|
while (ret == -EBUSY) {
|
|
/*
|
|
* Flush all I/O and wait for
|
|
* cancel/halt/clear completion.
|
|
*/
|
|
private->completion = &completion;
|
|
spin_unlock_irq(sch->lock);
|
|
|
|
wait_for_completion_timeout(&completion, 3*HZ);
|
|
|
|
spin_lock_irq(sch->lock);
|
|
private->completion = NULL;
|
|
flush_workqueue(vfio_ccw_work_q);
|
|
ret = cio_cancel_halt_clear(sch, &iretry);
|
|
};
|
|
|
|
ret = cio_disable_subchannel(sch);
|
|
} while (ret == -EBUSY);
|
|
out_unlock:
|
|
private->state = VFIO_CCW_STATE_NOT_OPER;
|
|
spin_unlock_irq(sch->lock);
|
|
return ret;
|
|
}
|
|
|
|
static void vfio_ccw_sch_io_todo(struct work_struct *work)
|
|
{
|
|
struct vfio_ccw_private *private;
|
|
struct irb *irb;
|
|
|
|
private = container_of(work, struct vfio_ccw_private, io_work);
|
|
irb = &private->irb;
|
|
|
|
if (scsw_is_solicited(&irb->scsw)) {
|
|
cp_update_scsw(&private->cp, &irb->scsw);
|
|
cp_free(&private->cp);
|
|
}
|
|
memcpy(private->io_region->irb_area, irb, sizeof(*irb));
|
|
|
|
if (private->io_trigger)
|
|
eventfd_signal(private->io_trigger, 1);
|
|
|
|
if (private->mdev)
|
|
private->state = VFIO_CCW_STATE_IDLE;
|
|
}
|
|
|
|
/*
|
|
* Css driver callbacks
|
|
*/
|
|
static void vfio_ccw_sch_irq(struct subchannel *sch)
|
|
{
|
|
struct vfio_ccw_private *private = dev_get_drvdata(&sch->dev);
|
|
|
|
inc_irq_stat(IRQIO_CIO);
|
|
vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_INTERRUPT);
|
|
}
|
|
|
|
static int vfio_ccw_sch_probe(struct subchannel *sch)
|
|
{
|
|
struct pmcw *pmcw = &sch->schib.pmcw;
|
|
struct vfio_ccw_private *private;
|
|
int ret;
|
|
|
|
if (pmcw->qf) {
|
|
dev_warn(&sch->dev, "vfio: ccw: does not support QDIO: %s\n",
|
|
dev_name(&sch->dev));
|
|
return -ENODEV;
|
|
}
|
|
|
|
private = kzalloc(sizeof(*private), GFP_KERNEL | GFP_DMA);
|
|
if (!private)
|
|
return -ENOMEM;
|
|
|
|
private->io_region = kmem_cache_zalloc(vfio_ccw_io_region,
|
|
GFP_KERNEL | GFP_DMA);
|
|
if (!private->io_region) {
|
|
kfree(private);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
private->sch = sch;
|
|
dev_set_drvdata(&sch->dev, private);
|
|
|
|
spin_lock_irq(sch->lock);
|
|
private->state = VFIO_CCW_STATE_NOT_OPER;
|
|
sch->isc = VFIO_CCW_ISC;
|
|
ret = cio_enable_subchannel(sch, (u32)(unsigned long)sch);
|
|
spin_unlock_irq(sch->lock);
|
|
if (ret)
|
|
goto out_free;
|
|
|
|
ret = vfio_ccw_mdev_reg(sch);
|
|
if (ret)
|
|
goto out_disable;
|
|
|
|
INIT_WORK(&private->io_work, vfio_ccw_sch_io_todo);
|
|
atomic_set(&private->avail, 1);
|
|
private->state = VFIO_CCW_STATE_STANDBY;
|
|
|
|
return 0;
|
|
|
|
out_disable:
|
|
cio_disable_subchannel(sch);
|
|
out_free:
|
|
dev_set_drvdata(&sch->dev, NULL);
|
|
kmem_cache_free(vfio_ccw_io_region, private->io_region);
|
|
kfree(private);
|
|
return ret;
|
|
}
|
|
|
|
static int vfio_ccw_sch_remove(struct subchannel *sch)
|
|
{
|
|
struct vfio_ccw_private *private = dev_get_drvdata(&sch->dev);
|
|
|
|
vfio_ccw_sch_quiesce(sch);
|
|
|
|
vfio_ccw_mdev_unreg(sch);
|
|
|
|
dev_set_drvdata(&sch->dev, NULL);
|
|
|
|
kmem_cache_free(vfio_ccw_io_region, private->io_region);
|
|
kfree(private);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void vfio_ccw_sch_shutdown(struct subchannel *sch)
|
|
{
|
|
vfio_ccw_sch_quiesce(sch);
|
|
}
|
|
|
|
/**
|
|
* vfio_ccw_sch_event - process subchannel event
|
|
* @sch: subchannel
|
|
* @process: non-zero if function is called in process context
|
|
*
|
|
* An unspecified event occurred for this subchannel. Adjust data according
|
|
* to the current operational state of the subchannel. Return zero when the
|
|
* event has been handled sufficiently or -EAGAIN when this function should
|
|
* be called again in process context.
|
|
*/
|
|
static int vfio_ccw_sch_event(struct subchannel *sch, int process)
|
|
{
|
|
struct vfio_ccw_private *private = dev_get_drvdata(&sch->dev);
|
|
unsigned long flags;
|
|
int rc = -EAGAIN;
|
|
|
|
spin_lock_irqsave(sch->lock, flags);
|
|
if (!device_is_registered(&sch->dev))
|
|
goto out_unlock;
|
|
|
|
if (work_pending(&sch->todo_work))
|
|
goto out_unlock;
|
|
|
|
if (cio_update_schib(sch)) {
|
|
vfio_ccw_fsm_event(private, VFIO_CCW_EVENT_NOT_OPER);
|
|
rc = 0;
|
|
goto out_unlock;
|
|
}
|
|
|
|
private = dev_get_drvdata(&sch->dev);
|
|
if (private->state == VFIO_CCW_STATE_NOT_OPER) {
|
|
private->state = private->mdev ? VFIO_CCW_STATE_IDLE :
|
|
VFIO_CCW_STATE_STANDBY;
|
|
}
|
|
rc = 0;
|
|
|
|
out_unlock:
|
|
spin_unlock_irqrestore(sch->lock, flags);
|
|
|
|
return rc;
|
|
}
|
|
|
|
static struct css_device_id vfio_ccw_sch_ids[] = {
|
|
{ .match_flags = 0x1, .type = SUBCHANNEL_TYPE_IO, },
|
|
{ /* end of list */ },
|
|
};
|
|
MODULE_DEVICE_TABLE(css, vfio_ccw_sch_ids);
|
|
|
|
static struct css_driver vfio_ccw_sch_driver = {
|
|
.drv = {
|
|
.name = "vfio_ccw",
|
|
.owner = THIS_MODULE,
|
|
},
|
|
.subchannel_type = vfio_ccw_sch_ids,
|
|
.irq = vfio_ccw_sch_irq,
|
|
.probe = vfio_ccw_sch_probe,
|
|
.remove = vfio_ccw_sch_remove,
|
|
.shutdown = vfio_ccw_sch_shutdown,
|
|
.sch_event = vfio_ccw_sch_event,
|
|
};
|
|
|
|
static int __init vfio_ccw_sch_init(void)
|
|
{
|
|
int ret;
|
|
|
|
vfio_ccw_work_q = create_singlethread_workqueue("vfio-ccw");
|
|
if (!vfio_ccw_work_q)
|
|
return -ENOMEM;
|
|
|
|
vfio_ccw_io_region = kmem_cache_create_usercopy("vfio_ccw_io_region",
|
|
sizeof(struct ccw_io_region), 0,
|
|
SLAB_ACCOUNT, 0,
|
|
sizeof(struct ccw_io_region), NULL);
|
|
if (!vfio_ccw_io_region) {
|
|
destroy_workqueue(vfio_ccw_work_q);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
isc_register(VFIO_CCW_ISC);
|
|
ret = css_driver_register(&vfio_ccw_sch_driver);
|
|
if (ret) {
|
|
isc_unregister(VFIO_CCW_ISC);
|
|
kmem_cache_destroy(vfio_ccw_io_region);
|
|
destroy_workqueue(vfio_ccw_work_q);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static void __exit vfio_ccw_sch_exit(void)
|
|
{
|
|
css_driver_unregister(&vfio_ccw_sch_driver);
|
|
isc_unregister(VFIO_CCW_ISC);
|
|
kmem_cache_destroy(vfio_ccw_io_region);
|
|
destroy_workqueue(vfio_ccw_work_q);
|
|
}
|
|
module_init(vfio_ccw_sch_init);
|
|
module_exit(vfio_ccw_sch_exit);
|
|
|
|
MODULE_LICENSE("GPL v2");
|