diff options
author | Marc Zyngier <marc.zyngier@arm.com> | 2016-07-17 11:48:47 +0100 |
---|---|---|
committer | Marc Zyngier <marc.zyngier@arm.com> | 2016-07-18 18:15:18 +0100 |
commit | d6c7f865f00adf98ca79712167fb0f1b9dccb272 (patch) | |
tree | eba4cdf8b80f67d46212e425b335214aafdeb1cf /virt | |
parent | 333a53ff7fb9d836ff4a2b7f266ac9b2bb85e873 (diff) |
KVM: arm64: vgic-its: Fix L2 entry validation for indirect tables
When checking that the storage address of a device entry is valid,
it is critical to compute the actual address of the entry, rather
than relying on the beginning of the page to match a CPU page of
the same size: for example, if the guest places the table at the
last 64kB boundary of RAM, but RAM size isn't a multiple of 64kB...
Fix this by computing the actual offset of the device ID in the
L2 page, and check the corresponding GFN.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Diffstat (limited to 'virt')
-rw-r--r-- | virt/kvm/arm/vgic/vgic-its.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 4943d6aebdd1..2faf1f458e8a 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -727,7 +727,12 @@ static bool vgic_its_check_device_id(struct kvm *kvm, struct vgic_its *its, * Any address beyond our supported 48 bits of PA will be caught * by the actual check in the final step. */ - gfn = (indirect_ptr & GENMASK_ULL(51, 16)) >> PAGE_SHIFT; + indirect_ptr &= GENMASK_ULL(51, 16); + + /* Find the address of the actual entry */ + index = device_id % (SZ_64K / GITS_BASER_ENTRY_SIZE(r)); + indirect_ptr += index * GITS_BASER_ENTRY_SIZE(r); + gfn = indirect_ptr >> PAGE_SHIFT; return kvm_is_visible_gfn(kvm, gfn); } |