ANDROID: arm64: KVM: iommu: Fix range check for MMIO

Currently, we check the state of MMIO as a range; if tainted, it's allowed, and udpdate is skipped. Otherwise, it's updated to be tainted. However, there is no requirement that a group pages might not be a mix of both, so this check/update must be done on per page basis. Bug: 357781595 Bug: 384432312 Reported-by: Daniel Mentz <danielmentz@google.com> Change-Id: I079ffbf6734b20e97a0ea4c41f785aa9ad317c3e Signed-off-by: Mostafa Saleh <smostafa@google.com>
2025-06-06 10:56:01 +00:00
parent 413ed6ba22
commit 71516273b0
1 changed files with 16 additions and 11 deletions
--- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
+++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
@@ -1903,18 +1903,23 @@ static int __pkvm_use_dma_locked(phys_addr_t phys_addr, size_t size,
 		if (hyp_vcpu)
 			return -EINVAL;

-		ret = ___host_check_page_state_range(phys_addr, size,
-						     PKVM_PAGE_TAINTED,
-						     reg, false);
-		if (!ret)
-			return ret;
-		ret = ___host_check_page_state_range(phys_addr, size,
-						     PKVM_PAGE_OWNED,
-						     reg, false);
-		if (ret)
-			return ret;
+		for (i = 0; i < nr_pages; i++) {
+			u64 addr = phys_addr + i * PAGE_SIZE;
+
+			ret = ___host_check_page_state_range(addr, PAGE_SIZE,
+							     PKVM_PAGE_TAINTED,
+							     reg, false);
+			/* Page already tainted */
+			if (!ret)
+				continue;
+			ret = ___host_check_page_state_range(addr, PAGE_SIZE,
+							     PKVM_PAGE_OWNED,
+							     reg, false);
+			if (ret)
+				return ret;
+		}
 		prot = pkvm_mkstate(PKVM_HOST_MMIO_PROT, PKVM_PAGE_TAINTED);
-		ret = host_stage2_idmap_locked(phys_addr, size, prot, false);
+		WARN_ON(host_stage2_idmap_locked(phys_addr, size, prot, false));
 	} else {
 		/* For VMs, we know if we reach this point the VM has access to the page. */
 		if (!hyp_vcpu) {