UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers/iommu/iommufd
History
Nicolin Chen f1fb745ee0 iommufd: Fix iopt_access_list_id overwrite bug 
commit aeb004c0cd6958e910123a1607634401009c9539 upstream.

Syzkaller reported the following WARN_ON:
  WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360

  Call Trace:
   iommufd_access_change_ioas+0x2fe/0x4e0
   iommufd_access_destroy_object+0x50/0xb0
   iommufd_object_remove+0x2a3/0x490
   iommufd_object_destroy_user
   iommufd_access_destroy+0x71/0xb0
   iommufd_test_staccess_release+0x89/0xd0
   __fput+0x272/0xb50
   __fput_sync+0x4b/0x60
   __do_sys_close
   __se_sys_close
   __x64_sys_close+0x8b/0x110
   do_syscall_x64

The mismatch between the access pointer in the list and the passed-in
pointer is resulting from an overwrite of access->iopt_access_list_id, in
iopt_add_access(). Called from iommufd_access_change_ioas() when
xa_alloc() succeeds but iopt_calculate_iova_alignment() fails.

Add a new_id in iopt_add_access() and only update iopt_access_list_id when
returning successfully.

Cc: stable@vger.kernel.org
Fixes: 9227da7816 ("iommufd: Add iommufd_access_change_ioas(_id) helpers")
Link: https://lore.kernel.org/r/2dda7acb25b8562ec5f1310de828ef5da9ef509c.1708636627.git.nicolinc@nvidia.com
Reported-by: Jason Gunthorpe <jgg@nvidia.com>
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2024-03-06 14:48:41 +00:00
..
Kconfig vfio: Compile vfio_group infrastructure optionally 2023-07-25 10:20:50 -06:00
Makefile
device.c VFIO updates for v6.6-rc1 2023-08-30 20:36:01 -07:00
double_span.h
hw_pagetable.c iommufd: Add IOMMU_HWPT_ALLOC 2023-07-26 10:20:31 -03:00
io_pagetable.c iommufd: Fix iopt_access_list_id overwrite bug 2024-03-06 14:48:41 +00:00
io_pagetable.h
ioas.c iommu/iommufd: Pass iommufd_ctx pointer in iommufd_get_ioas() 2023-03-29 16:52:41 -03:00
iommufd_private.h VFIO updates for v6.6-rc1 2023-08-30 20:36:01 -07:00
iommufd_test.h iommufd/selftest: Add coverage for IOMMU_GET_HW_INFO ioctl 2023-08-18 12:52:15 -03:00
main.c VFIO updates for v6.6-rc1 2023-08-30 20:36:01 -07:00
pages.c iommufd: Add iopt_area_alloc() 2023-11-20 11:59:17 +01:00
selftest.c iommufd/selftest: Don't leak the platform device memory when unloading the module 2023-08-18 12:56:24 -03:00
vfio_compat.c vfio: align capability structures 2023-08-17 12:17:44 -06:00