Commit 60c988bc authored by Daniel Jordan's avatar Daniel Jordan Committed by Alex Williamson

vfio/type1: Empty batch for pfnmap pages

When vfio_pin_pages_remote() returns with a partial batch consisting of
a single VM_PFNMAP pfn, a subsequent call will unfortunately try
restoring it from batch->pages, resulting in vfio mapping the wrong page
and unbalancing the page refcount.

Prevent the function from returning with this kind of partial batch to
avoid the issue.  There's no explicit check for a VM_PFNMAP pfn because
it's awkward to do so, so infer it from characteristics of the batch
instead.  This may result in occasional false positives but keeps the
code simpler.

Fixes: 4d83de6d ("vfio/type1: Batch page pinning")
Link: https://lkml.kernel.org/r/20210323133254.33ed9161@omen.home.shazbot.org/Reported-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Suggested-by: default avatarAlex Williamson <alex.williamson@redhat.com>
Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
Message-Id: <20210325010552.185481-1-daniel.m.jordan@oracle.com>
Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
parent 0d02ec6b
...@@ -739,6 +739,12 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr, ...@@ -739,6 +739,12 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr,
ret = vfio_lock_acct(dma, lock_acct, false); ret = vfio_lock_acct(dma, lock_acct, false);
unpin_out: unpin_out:
if (batch->size == 1 && !batch->offset) {
/* May be a VM_PFNMAP pfn, which the batch can't remember. */
put_pfn(pfn, dma->prot);
batch->size = 0;
}
if (ret < 0) { if (ret < 0) {
if (pinned && !rsvd) { if (pinned && !rsvd) {
for (pfn = *pfn_base ; pinned ; pfn++, pinned--) for (pfn = *pfn_base ; pinned ; pfn++, pinned--)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment