1. 01 10月, 2020 1 次提交
  2. 04 9月, 2020 1 次提交
  3. 24 7月, 2020 1 次提交
  4. 22 7月, 2020 1 次提交
  5. 09 7月, 2020 1 次提交
    • Q
      iommu: Fix use-after-free in iommu_release_device · 9ac85451
      Qian Cai 提交于
      In pci_disable_sriov(), i.e.,
      
       # echo 0 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs
      
      iommu_release_device
        iommu_group_remove_device
          arm_smmu_domain_free
            kfree(smmu_domain)
      
      Later,
      
      iommu_release_device
        arm_smmu_release_device
          arm_smmu_detach_dev
            spin_lock_irqsave(&smmu_domain->devices_lock,
      
      would trigger an use-after-free. Fixed it by call
      arm_smmu_release_device() first before iommu_group_remove_device().
      
       BUG: KASAN: use-after-free in __lock_acquire+0x3458/0x4440
        __lock_acquire at kernel/locking/lockdep.c:4250
       Read of size 8 at addr ffff0089df1a6f68 by task bash/3356
      
       CPU: 5 PID: 3356 Comm: bash Not tainted 5.8.0-rc3-next-20200630 #2
       Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
       Call trace:
        dump_backtrace+0x0/0x398
        show_stack+0x14/0x20
        dump_stack+0x140/0x1b8
        print_address_description.isra.12+0x54/0x4a8
        kasan_report+0x134/0x1b8
        __asan_report_load8_noabort+0x2c/0x50
        __lock_acquire+0x3458/0x4440
        lock_acquire+0x204/0xf10
        _raw_spin_lock_irqsave+0xf8/0x180
        arm_smmu_detach_dev+0xd8/0x4a0
        arm_smmu_detach_dev at drivers/iommu/arm-smmu-v3.c:2776
        arm_smmu_release_device+0xb4/0x1c8
        arm_smmu_disable_pasid at drivers/iommu/arm-smmu-v3.c:2754
        (inlined by) arm_smmu_release_device at drivers/iommu/arm-smmu-v3.c:3000
        iommu_release_device+0xc0/0x178
        iommu_release_device at drivers/iommu/iommu.c:302
        iommu_bus_notifier+0x118/0x160
        notifier_call_chain+0xa4/0x128
        __blocking_notifier_call_chain+0x70/0xa8
        blocking_notifier_call_chain+0x14/0x20
        device_del+0x618/0xa00
        pci_remove_bus_device+0x108/0x2d8
        pci_stop_and_remove_bus_device+0x1c/0x28
        pci_iov_remove_virtfn+0x228/0x368
        sriov_disable+0x8c/0x348
        pci_disable_sriov+0x5c/0x70
        mlx5_core_sriov_configure+0xd8/0x260 [mlx5_core]
        sriov_numvfs_store+0x240/0x318
        dev_attr_store+0x38/0x68
        sysfs_kf_write+0xdc/0x128
        kernfs_fop_write+0x23c/0x448
        __vfs_write+0x54/0xe8
        vfs_write+0x124/0x3f0
        ksys_write+0xe8/0x1b8
        __arm64_sys_write+0x68/0x98
        do_el0_svc+0x124/0x220
        el0_sync_handler+0x260/0x408
        el0_sync+0x140/0x180
      
       Allocated by task 3356:
        save_stack+0x24/0x50
        __kasan_kmalloc.isra.13+0xc4/0xe0
        kasan_kmalloc+0xc/0x18
        kmem_cache_alloc_trace+0x1ec/0x318
        arm_smmu_domain_alloc+0x54/0x148
        iommu_group_alloc_default_domain+0xc0/0x440
        iommu_probe_device+0x1c0/0x308
        iort_iommu_configure+0x434/0x518
        acpi_dma_configure+0xf0/0x128
        pci_dma_configure+0x114/0x160
        really_probe+0x124/0x6d8
        driver_probe_device+0xc4/0x180
        __device_attach_driver+0x184/0x1e8
        bus_for_each_drv+0x114/0x1a0
        __device_attach+0x19c/0x2a8
        device_attach+0x10/0x18
        pci_bus_add_device+0x70/0xf8
        pci_iov_add_virtfn+0x7b4/0xb40
        sriov_enable+0x5c8/0xc30
        pci_enable_sriov+0x64/0x80
        mlx5_core_sriov_configure+0x58/0x260 [mlx5_core]
        sriov_numvfs_store+0x1c0/0x318
        dev_attr_store+0x38/0x68
        sysfs_kf_write+0xdc/0x128
        kernfs_fop_write+0x23c/0x448
        __vfs_write+0x54/0xe8
        vfs_write+0x124/0x3f0
        ksys_write+0xe8/0x1b8
        __arm64_sys_write+0x68/0x98
        do_el0_svc+0x124/0x220
        el0_sync_handler+0x260/0x408
        el0_sync+0x140/0x180
      
       Freed by task 3356:
        save_stack+0x24/0x50
        __kasan_slab_free+0x124/0x198
        kasan_slab_free+0x10/0x18
        slab_free_freelist_hook+0x110/0x298
        kfree+0x128/0x668
        arm_smmu_domain_free+0xf4/0x1a0
        iommu_group_release+0xec/0x160
        kobject_put+0xf4/0x238
        kobject_del+0x110/0x190
        kobject_put+0x1e4/0x238
        iommu_group_remove_device+0x394/0x938
        iommu_release_device+0x9c/0x178
        iommu_release_device at drivers/iommu/iommu.c:300
        iommu_bus_notifier+0x118/0x160
        notifier_call_chain+0xa4/0x128
        __blocking_notifier_call_chain+0x70/0xa8
        blocking_notifier_call_chain+0x14/0x20
        device_del+0x618/0xa00
        pci_remove_bus_device+0x108/0x2d8
        pci_stop_and_remove_bus_device+0x1c/0x28
        pci_iov_remove_virtfn+0x228/0x368
        sriov_disable+0x8c/0x348
        pci_disable_sriov+0x5c/0x70
        mlx5_core_sriov_configure+0xd8/0x260 [mlx5_core]
        sriov_numvfs_store+0x240/0x318
        dev_attr_store+0x38/0x68
        sysfs_kf_write+0xdc/0x128
        kernfs_fop_write+0x23c/0x448
        __vfs_write+0x54/0xe8
        vfs_write+0x124/0x3f0
        ksys_write+0xe8/0x1b8
        __arm64_sys_write+0x68/0x98
        do_el0_svc+0x124/0x220
        el0_sync_handler+0x260/0x408
        el0_sync+0x140/0x180
      
       The buggy address belongs to the object at ffff0089df1a6e00
        which belongs to the cache kmalloc-512 of size 512
       The buggy address is located 360 bytes inside of
        512-byte region [ffff0089df1a6e00, ffff0089df1a7000)
       The buggy address belongs to the page:
       page:ffffffe02257c680 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0089df1a1400
       flags: 0x7ffff800000200(slab)
       raw: 007ffff800000200 ffffffe02246b8c8 ffffffe02257ff88 ffff000000320680
       raw: ffff0089df1a1400 00000000002a000e 00000001ffffffff ffff0089df1a5001
       page dumped because: kasan: bad access detected
       page->mem_cgroup:ffff0089df1a5001
      
       Memory state around the buggy address:
        ffff0089df1a6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff0089df1a6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       >ffff0089df1a6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                 ^
        ffff0089df1a6f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff0089df1a7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      
      Fixes: a6a4c7e2 ("iommu: Add probe_device() and release_device() call-backs")
      Signed-off-by: NQian Cai <cai@lca.pw>
      Link: https://lore.kernel.org/r/20200704001003.2303-1-cai@lca.pwSigned-off-by: NJoerg Roedel <jroedel@suse.de>
      9ac85451
  6. 30 6月, 2020 1 次提交
  7. 04 6月, 2020 1 次提交
  8. 29 5月, 2020 2 次提交
    • Q
      iommu: Fix reference count leak in iommu_group_alloc. · 7cc31613
      Qiushi Wu 提交于
      kobject_init_and_add() takes reference even when it fails.
      Thus, when kobject_init_and_add() returns an error,
      kobject_put() must be called to properly clean up the kobject.
      
      Fixes: d72e31c9 ("iommu: IOMMU Groups")
      Signed-off-by: NQiushi Wu <wu000273@umn.edu>
      Link: https://lore.kernel.org/r/20200527210020.6522-1-wu000273@umn.eduSigned-off-by: NJoerg Roedel <jroedel@suse.de>
      7cc31613
    • J
      iommu: Remove iommu_sva_ops::mm_exit() · edcc40d2
      Jean-Philippe Brucker 提交于
      After binding a device to an mm, device drivers currently need to
      register a mm_exit handler. This function is called when the mm exits,
      to gracefully stop DMA targeting the address space and flush page faults
      to the IOMMU.
      
      This is deemed too complex for the MMU release() notifier, which may be
      triggered by any mmput() invocation, from about 120 callsites [1]. The
      upcoming SVA module has an example of such complexity: the I/O Page
      Fault handler would need to call mmput_async() instead of mmput() after
      handling an IOPF, to avoid triggering the release() notifier which would
      in turn drain the IOPF queue and lock up.
      
      Another concern is the DMA stop function taking too long, up to several
      minutes [2]. For some mmput() callers this may disturb other users. For
      example, if the OOM killer picks the mm bound to a device as the victim
      and that mm's memory is locked, if the release() takes too long, it
      might choose additional innocent victims to kill.
      
      To simplify the MMU release notifier, don't forward the notification to
      device drivers. Since they don't stop DMA on mm exit anymore, the PASID
      lifetime is extended:
      
      (1) The device driver calls bind(). A PASID is allocated.
      
        Here any DMA fault is handled by mm, and on error we don't print
        anything to dmesg. Userspace can easily trigger errors by issuing DMA
        on unmapped buffers.
      
      (2) exit_mmap(), for example the process took a SIGKILL. This step
          doesn't happen during normal operations. Remove the pgd from the
          PASID table, since the page tables are about to be freed. Invalidate
          the IOTLBs.
      
        Here the device may still perform DMA on the address space. Incoming
        transactions are aborted but faults aren't printed out. ATS
        Translation Requests return Successful Translation Completions with
        R=W=0. PRI Page Requests return with Invalid Request.
      
      (3) The device driver stops DMA, possibly following release of a fd, and
          calls unbind(). PASID table is cleared, IOTLB invalidated if
          necessary. The page fault queues are drained, and the PASID is
          freed.
      
        If DMA for that PASID is still running here, something went seriously
        wrong and errors should be reported.
      
      For now remove iommu_sva_ops entirely. We might need to re-introduce
      them at some point, for example to notify device drivers of unhandled
      IOPF.
      
      [1] https://lore.kernel.org/linux-iommu/20200306174239.GM31668@ziepe.ca/
      [2] https://lore.kernel.org/linux-iommu/4d68da96-0ad5-b412-5987-2f7a6aa796c3@amd.com/Signed-off-by: NJean-Philippe Brucker <jean-philippe@linaro.org>
      Acked-by: NJacob Pan <jacob.jun.pan@linux.intel.com>
      Acked-by: NLu Baolu <baolu.lu@linux.intel.com>
      Link: https://lore.kernel.org/r/20200423125329.782066-3-jean-philippe@linaro.orgSigned-off-by: NJoerg Roedel <jroedel@suse.de>
      edcc40d2
  9. 25 5月, 2020 2 次提交
  10. 19 5月, 2020 1 次提交
    • J
      iommu: Fix deferred domain attachment · bd421264
      Joerg Roedel 提交于
      The IOMMU core code has support for deferring the attachment of a domain
      to a device. This is needed in kdump kernels where the new domain must
      not be attached to a device before the device driver takes it over.
      
      When the AMD IOMMU driver got converted to use the dma-iommu
      implementation, the deferred attaching got lost. The code in
      dma-iommu.c has support for deferred attaching, but it calls into
      iommu_attach_device() to actually do it. But iommu_attach_device()
      will check if the device should be deferred in it code-path and do
      nothing, breaking deferred attachment.
      
      Move the is_deferred_attach() check out of the attach_device path and
      into iommu_group_add_device() to make deferred attaching work from the
      dma-iommu code.
      
      Fixes: 795bbbb9 ("iommu/dma-iommu: Handle deferred devices")
      Reported-by: NJerry Snitselaar <jsnitsel@redhat.com>
      Suggested-by: NRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      Tested-by: NJerry Snitselaar <jsnitsel@redhat.com>
      Cc: Jerry Snitselaar <jsnitsel@redhat.com>
      Cc: Tom Murphy <murphyt7@tcd.ie>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Link: https://lore.kernel.org/r/20200519130340.14564-1-joro@8bytes.org
      bd421264
  11. 15 5月, 2020 1 次提交
  12. 13 5月, 2020 1 次提交
  13. 05 5月, 2020 12 次提交
  14. 01 5月, 2020 1 次提交
  15. 29 4月, 2020 1 次提交
    • K
      iommu: Fix the memory leak in dev_iommu_free() · 5375e874
      Kevin Hao 提交于
      In iommu_probe_device(), we would invoke dev_iommu_free() to free the
      dev->iommu after the ->add_device() returns failure. But after commit
      72acd9df ("iommu: Move iommu_fwspec to struct dev_iommu"), we also
      need to free the iommu_fwspec before the dev->iommu is freed. This fixes
      the following memory leak reported by kmemleak:
        unreferenced object 0xffff000bc836c700 (size 128):
          comm "swapper/0", pid 1, jiffies 4294896304 (age 782.120s)
          hex dump (first 32 bytes):
            00 00 00 00 00 00 00 00 d8 cd 9b ff 0b 00 ff ff  ................
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          backtrace:
            [<00000000df34077b>] kmem_cache_alloc_trace+0x244/0x4b0
            [<000000000e560ac0>] iommu_fwspec_init+0x7c/0xb0
            [<0000000075eda275>] of_iommu_xlate+0x80/0xe8
            [<00000000728d6bf9>] of_pci_iommu_init+0xb0/0xb8
            [<00000000d001fe6f>] pci_for_each_dma_alias+0x48/0x190
            [<000000006db6bbce>] of_iommu_configure+0x1ac/0x1d0
            [<00000000634745f8>] of_dma_configure+0xdc/0x220
            [<000000002cbc8ba0>] pci_dma_configure+0x50/0x78
            [<00000000cdf6e193>] really_probe+0x8c/0x340
            [<00000000fddddc46>] driver_probe_device+0x60/0xf8
            [<0000000061bcdb51>] __device_attach_driver+0x8c/0xd0
            [<000000009b9ff58e>] bus_for_each_drv+0x80/0xd0
            [<000000004b9c8aa3>] __device_attach+0xec/0x148
            [<00000000a5c13bf3>] device_attach+0x1c/0x28
            [<000000005071e151>] pci_bus_add_device+0x58/0xd0
            [<000000002d4f87d1>] pci_bus_add_devices+0x40/0x90
      
      Fixes: 72acd9df ("iommu: Move iommu_fwspec to struct dev_iommu")
      Signed-off-by: NKevin Hao <haokexin@gmail.com>
      Link: https://lore.kernel.org/r/20200402143749.40500-1-haokexin@gmail.comSigned-off-by: NJoerg Roedel <jroedel@suse.de>
      5375e874
  16. 27 3月, 2020 2 次提交
  17. 28 2月, 2020 1 次提交
    • R
      iommu: Use C99 flexible array in fwspec · 098accf2
      Robin Murphy 提交于
      Although the 1-element array was a typical pre-C99 way to implement
      variable-length structures, and indeed is a fundamental construct in the
      APIs of certain other popular platforms, there's no good reason for it
      here (and in particular the sizeof() trick is far too "clever" for its
      own good). We can just as easily implement iommu_fwspec's preallocation
      behaviour using a standard flexible array member, so let's make it look
      the way most readers would expect.
      Signed-off-by: NRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      098accf2
  18. 08 1月, 2020 1 次提交
  19. 23 12月, 2019 4 次提交
  20. 17 12月, 2019 2 次提交
  21. 15 10月, 2019 2 次提交