VMCI: Fix two UVA mapping bugs

(this is a resend of this patch. Originally sent last year, but post appears to have been lost) This change fixes two bugs in the VMCI host driver related to mapping the notify boolean from user space into kernel space: - the actual UVA was rounded up to the next page boundary - resulting in memory corruption in the calling process whenever notifications would be signalled. This has been fixed by just removing the PAGE_ALIGN part, since get_user_pages_fast can figure this out on its own - the mapped page wasn't stored anywhere, so it wasn't unmapped and put back when a VMCI context was destroyed. Fixed this by remembering the page. Acked-by: Andy King <acking@vmware.com> Acked-by: Darius Davis <darius@vmware.com> Signed-off-by: Jorgen Hansen <jhansen@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jorgen Hansen <jhansen@vmware.com> 2015-01-14 14:10:19 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-25 12:18:00 -0500
commit: a1d88436d53a75e950db15834b3d2f8c0c358fdc (patch)
tree: a1c852aa45acec5f487e0d61706b7dbe57eaea90 /drivers/misc
parent: 3f46d81ae1cf8f20f25c39ae1ab3f1b064698361 (diff)
2 files changed, 8 insertions, 7 deletions
diff --git a/drivers/misc/vmw_vmci/vmci_driver.c b/drivers/misc/vmw_vmci/vmci_driver.c
index 3dee7ae123e7..032d35cf93ca 100644
--- a/drivers/misc/vmw_vmci/vmci_driver.c
+++ b/drivers/misc/vmw_vmci/vmci_driver.c
@@ -113,5 +113,5 @@ module_exit(vmci_drv_exit);
 MODULE_AUTHOR("VMware, Inc.");
 MODULE_DESCRIPTION("VMware Virtual Machine Communication Interface.");
-MODULE_VERSION("1.1.0.0-k");
+MODULE_VERSION("1.1.1.0-k");
 MODULE_LICENSE("GPL v2");
diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index 1723a6e4f2e8..66fc9921fc85 100644
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -218,13 +218,12 @@ static int drv_cp_harray_to_user(void __user *user_buf_uva,
 }
 /*
- * Sets up a given context for notify to work.  Calls drv_map_bool_ptr()
+ * Sets up a given context for notify to work. Maps the notify
- * which maps the notify boolean in user VA in kernel space.
+ * boolean in user VA into kernel space.
 */
 static int vmci_host_setup_notify(struct vmci_ctx *context,
                                  unsigned long uva)
 {
-        struct page *page;
        int retval;
        if (context->notify_page) {
@@ -243,14 +242,16 @@ static int vmci_host_setup_notify(struct vmci_ctx *context,
        /*
         * Lock physical page backing a given user VA.
         */
-        retval = get_user_pages_fast(PAGE_ALIGN(uva), 1, 1, &page);
+        retval = get_user_pages_fast(uva, 1, 1, &context->notify_page);
-        if (retval != 1)
+        if (retval != 1) {
+                context->notify_page = NULL;
                return VMCI_ERROR_GENERIC;
+        }
        /*
         * Map the locked page and set up notify pointer.
         */
-        context->notify = kmap(page) + (uva & (PAGE_SIZE - 1));
+        context->notify = kmap(context->notify_page) + (uva & (PAGE_SIZE - 1));
        vmci_ctx_check_signal_notify(context);
        return VMCI_SUCCESS;
author	Jorgen Hansen <jhansen@vmware.com>	2015-01-14 14:10:19 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-01-25 12:18:00 -0500
commit	a1d88436d53a75e950db15834b3d2f8c0c358fdc (patch)
tree	a1c852aa45acec5f487e0d61706b7dbe57eaea90 /drivers/misc
parent	3f46d81ae1cf8f20f25c39ae1ab3f1b064698361 (diff)