linux/drivers
Jason Gunthorpe dbe245cdf5 iommufd: Call iopt_area_contig_done() under the lock
The iter internally holds a pointer to the area and
iopt_area_contig_done() will dereference it. The pointer is not valid
outside the iova_rwsem.

syzkaller reports:

  BUG: KASAN: slab-use-after-free in iommufd_access_unpin_pages+0x363/0x370
  Read of size 8 at addr ffff888022286e20 by task syz-executor669/5771

  CPU: 0 PID: 5771 Comm: syz-executor669 Not tainted 6.4.0-rc5-syzkaller-00313-g4c605260bc60 #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
  Call Trace:
   <TASK>
   dump_stack_lvl+0xd9/0x150
   print_address_description.constprop.0+0x2c/0x3c0
   kasan_report+0x11c/0x130
   iommufd_access_unpin_pages+0x363/0x370
   iommufd_test_access_unmap+0x24b/0x390
   iommufd_access_notify_unmap+0x24c/0x3a0
   iopt_unmap_iova_range+0x4c4/0x5f0
   iopt_unmap_all+0x27/0x50
   iommufd_ioas_unmap+0x3d0/0x490
   iommufd_fops_ioctl+0x317/0x4b0
   __x64_sys_ioctl+0x197/0x210
   do_syscall_64+0x39/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd
  RIP: 0033:0x7fec1dae3b19
  Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007fec1da74308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  RAX: ffffffffffffffda RBX: 00007fec1db6b438 RCX: 00007fec1dae3b19
  RDX: 0000000020000100 RSI: 0000000000003b86 RDI: 0000000000000003
  RBP: 00007fec1db6b430 R08: 00007fec1da74700 R09: 0000000000000000
  R10: 00007fec1da74700 R11: 0000000000000246 R12: 00007fec1db6b43c
  R13: 00007fec1db39074 R14: 6d6f692f7665642f R15: 0000000000022000
   </TASK>

  Allocated by task 5770:
   kasan_save_stack+0x22/0x40
   kasan_set_track+0x25/0x30
   __kasan_kmalloc+0xa2/0xb0
   iopt_alloc_area_pages+0x94/0x560
   iopt_map_user_pages+0x205/0x4e0
   iommufd_ioas_map+0x329/0x5f0
   iommufd_fops_ioctl+0x317/0x4b0
   __x64_sys_ioctl+0x197/0x210
   do_syscall_64+0x39/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

  Freed by task 5770:
   kasan_save_stack+0x22/0x40
   kasan_set_track+0x25/0x30
   kasan_save_free_info+0x2e/0x40
   ____kasan_slab_free+0x160/0x1c0
   slab_free_freelist_hook+0x8b/0x1c0
   __kmem_cache_free+0xaf/0x2d0
   iopt_unmap_iova_range+0x288/0x5f0
   iopt_unmap_all+0x27/0x50
   iommufd_ioas_unmap+0x3d0/0x490
   iommufd_fops_ioctl+0x317/0x4b0
   __x64_sys_ioctl+0x197/0x210
   do_syscall_64+0x39/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

The parallel unmap free'd iter->area the instant the lock was released.

Fixes: 51fe6141f0 ("iommufd: Data structure to provide IOVA to PFN mapping")
Link: https://lore.kernel.org/r/2-v2-9a03761d445d+54-iommufd_syz2_jgg@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reported-by: syzbot+6c8d756f238a75fc3eb8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/000000000000905eba05fe38e9f2@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2023-06-26 09:00:23 -03:00
..
accel accel/qaic: Call DRM helper function to destroy prime GEM 2023-06-20 08:07:29 -06:00
accessibility braille_console: remove MODULE_LICENSE in non-modules 2023-04-13 13:13:53 -07:00
acpi ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep() 2023-06-15 18:05:19 +02:00
amba ARM: tegra: remove MODULE_LICENSE in non-modules 2023-04-13 13:13:50 -07:00
android binder: fix UAF of alloc->vma in race with munmap() 2023-05-20 17:56:23 +01:00
ata ata: libata-scsi: Avoid deadlock on rescan after device resume 2023-06-18 12:00:49 +09:00
atm
auxdisplay
base regmap: One more fix for v6.4 2023-06-21 10:25:43 -07:00
bcma bcma: Add explicit of_device.h include 2023-04-14 15:32:56 +03:00
block Revert "virtio-blk: support completion batching for the IRQ path" 2023-06-21 04:14:28 -04:00
bluetooth Bluetooth: hci_qca: fix debugfs registration 2023-06-05 17:13:14 -07:00
bus modules-6.4-rc1 2023-04-27 16:36:55 -07:00
cdrom
cdx cdx: fix build failure due to sysfs 'bus_type' argument needing to be const 2023-04-27 16:21:32 -07:00
char tpm, tpm_tis: correct tpm_tis_flags enumeration values 2023-06-02 17:35:22 -04:00
clk clk: pxa: fix NULL pointer dereference in pxa3xx_clk_update_accr 2023-06-14 17:22:17 -07:00
clocksource Timekeeping and clocksource/event driver updates the second batch: 2023-04-29 10:24:30 -07:00
comedi
connector
counter - New Drivers 2023-05-02 10:41:31 -07:00
cpufreq cpufreq: amd-pstate: Update policy->cur in amd_pstate_adjust_perf() 2023-05-25 19:35:13 +02:00
cpuidle RISC-V: Align SBI probe implementation with spec 2023-04-29 13:04:50 -07:00
crypto This push fixes the following problems: 2023-05-07 10:57:14 -07:00
cxl cxl: Explicitly initialize resources when media is not ready 2023-05-26 13:34:39 -07:00
dax
dca Mainly singleton patches all over the place. Series of note are: 2023-04-27 19:57:00 -07:00
devfreq Driver core changes for 6.4-rc1 2023-04-27 11:53:57 -07:00
dio
dma dmaengine: at_hdmac: Extend the Flow Controller bitfield to three bits 2023-05-24 11:20:28 +05:30
dma-buf udmabuf: revert 'Add support for mapping hugepages (v4)' 2023-06-19 13:19:32 -07:00
edac EDAC/qcom: Get rid of hardcoded register offsets 2023-05-26 20:56:55 -07:00
eisa
extcon
firewire firewire: net: fix unexpected release of object for asynchronous request packet 2023-05-11 09:06:49 +09:00
firmware Revert "efi: random: refresh non-volatile random seed when RNG is initialized" 2023-06-21 10:58:46 -07:00
fpga Char/Misc drivers for 6.4-rc1 2023-04-27 12:07:50 -07:00
fsi
gnss
gpio gpiolib: Fix irq_domain resource tracking for gpiochip_irqchip_add_domain() 2023-06-19 14:57:38 +02:00
gpu drm: use mgr->dev in drm_dbg_kms in drm_dp_add_payload_part2 2023-06-20 16:00:09 -04:00
greybus
hid for-linus-2023060501 2023-06-06 04:36:02 -07:00
hsi
hte Devicetree updates for v6.4, part 2: 2023-04-27 10:09:05 -07:00
hv x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline 2023-06-17 23:09:47 +00:00
hwmon hwmon: (k10temp) Add PCI ID for family 19, model 78h 2023-05-08 11:36:19 +02:00
hwspinlock hwspinlock: remove MODULE_LICENSE in non-modules 2023-04-13 13:13:52 -07:00
hwtracing coresight: perf: Release Coresight path when alloc trace id failed 2023-05-11 11:18:21 +01:00
i2c i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle 2023-06-23 12:58:24 +02:00
i3c i3c: ast2600: set variable ast2600_i3c_ops storage-class-specifier to static 2023-04-30 23:50:26 +02:00
idle intel_idle: mark few variables as __read_mostly 2023-04-27 19:37:36 +02:00
iio iio: imu: inv_icm42600: fix timestamp reset 2023-05-20 17:33:14 +01:00
infiniband RDMA/rxe: Fix rxe_cq_post 2023-06-14 14:12:43 -03:00
input Input updates for v6.4-rc5 2023-06-07 13:49:42 -07:00
interconnect modules-6.4-rc1 2023-04-27 16:36:55 -07:00
iommu iommufd: Call iopt_area_contig_done() under the lock 2023-06-26 09:00:23 -03:00
ipack
irqchip irqchip/gic: Correctly validate OF quirk descriptors 2023-05-30 11:01:22 +01:00
isdn Including fixes from netfilter. 2023-05-05 19:12:01 -07:00
leds leds: qcom-lpg: Fix PWM period limits 2023-06-03 17:00:28 +02:00
macintosh powerpc updates for 6.4 2023-04-28 16:24:32 -07:00
mailbox mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() 2023-05-31 13:26:44 -05:00
mcb mcb-lpc: Reallocate memory region to avoid memory overlapping 2023-04-20 14:24:01 +02:00
md 19 hotfixes. 8 of these are cc:stable. 2023-06-20 17:20:22 -07:00
media Revert "media: dvb-core: Fix use-after-free on race condition at dvb_frontend" 2023-06-14 23:16:29 +01:00
memory ARM: SoC drivers for v6.4 2023-04-25 12:02:16 -07:00
memstick
message Objtool changes for v6.4: 2023-04-28 14:02:54 -07:00
mfd - New Drivers 2023-05-02 10:41:31 -07:00
misc Merge tag 'at24-fixes-for-v6.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into i2c/for-current 2023-06-09 17:14:33 +02:00
mmc mmc: usdhi60rol0: fix deferred probing 2023-06-19 13:32:39 +02:00
most
mtd mtd: rawnand: marvell: don't set the NAND frequency select 2023-06-01 18:12:33 +02:00
mux
net net: wwan: iosm: Convert single instance struct member to flexible array 2023-06-22 11:27:47 +02:00
nfc nfc: fdp: Add MODULE_FIRMWARE macros 2023-06-18 11:19:52 +01:00
ntb
nubus
nvdimm
nvme nvme: fix the name of Zone Append for verbose logging 2023-05-31 09:21:26 -07:00
nvmem modules-6.4-rc1 2023-04-27 16:36:55 -07:00
of of: overlay: Fix missing of_node_put() in error case of init_overlay_changeset() 2023-06-09 16:12:37 -06:00
opp Devicetree updates for v6.4, part 2: 2023-04-27 10:09:05 -07:00
parisc parisc: Replace regular spinlock with spin_trylock on panic path 2023-05-03 17:43:26 +02:00
parport
pci hyperv-fixes for 6.4-rc8 2023-06-19 17:05:43 -07:00
pcmcia
peci
perf KVM: arm64: PMU: Don't overwrite PMUSERENR with vcpu loaded 2023-06-04 17:19:36 +01:00
phy phy: qcom-snps: correct struct qcom_snps_hsphy kerneldoc 2023-05-16 19:48:55 +05:30
pinctrl pinctrl: meson-axg: add missing GPIOA_18 gpio group 2023-05-16 15:02:01 +02:00
platform platform/x86/amd/pmf: Register notify handler only if SPS is enabled 2023-06-22 10:20:00 +02:00
pnp
power power: supply: Fix logic checking if system is running from battery 2023-05-16 23:02:56 +02:00
powercap
pps
ps3
ptp Driver core changes for 6.4-rc1 2023-04-27 11:53:57 -07:00
pwm pwm: Changes for v6.4-rc1 2023-05-03 11:25:01 -07:00
rapidio Mainly singleton patches all over the place. Series of note are: 2023-04-27 19:57:00 -07:00
ras
regulator regulator: qcom-rpmh: Fix regulators for PM8550 2023-06-07 14:20:04 +01:00
remoteproc Mainly singleton patches all over the place. Series of note are: 2023-04-27 19:57:00 -07:00
reset Nothing looks out of the ordinary in this batch of clk driver updates. There 2023-04-29 17:29:39 -07:00
rpmsg Driver core changes for 6.4-rc1 2023-04-27 11:53:57 -07:00
rtc - New Drivers 2023-05-02 10:41:31 -07:00
s390 Including fixes from wireless, and netfilter. 2023-06-15 21:11:17 -07:00
sbus Driver core changes for 6.4-rc1 2023-04-27 11:53:57 -07:00
scsi scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path 2023-06-14 21:57:48 -04:00
sh
siox
slimbus
soc ARM: SoC fixes for 6.4, part 2 2023-06-10 13:01:09 -07:00
soundwire soundwire: stream: Add missing clear of alloc_slave_rt 2023-06-08 17:08:04 +05:30
spi spi: spi-geni-qcom: correctly handle -EPROBE_DEFER from dma_request_chan() 2023-06-15 14:58:45 +01:00
spmi spmi: Add a check for remove callback when removing a SPMI driver 2023-04-20 14:16:39 +02:00
ssb
staging Staging driver fix for 6.4-rc7 2023-06-17 11:04:10 -07:00
target scsi: target: core: Fix error path in target_setup_session() 2023-06-14 21:54:35 -04:00
tc
tee AMDTEE add return origin to load TA command 2023-06-07 12:58:22 +02:00
thermal thermal/intel/intel_soc_dts_iosf: Fix reporting wrong temperatures 2023-06-15 18:07:48 +02:00
thunderbolt thunderbolt: Mask ring interrupt on Intel hardware as well 2023-05-31 10:37:21 +03:00
tty tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A 2023-06-13 12:31:45 +02:00
ufs scsi: ufs: core: Fix MCQ nr_hw_queues 2023-05-16 21:07:26 -04:00
uio
usb usb: gadget: udc: core: Prevent soft_connect_store() race 2023-06-13 12:16:34 +02:00
vdpa vdpa/mlx5: Fix hang when cvq commands are triggered during device unregister 2023-06-08 15:43:08 -04:00
vfio vfio/type1: check pfn valid before converting to struct page 2023-05-23 14:16:29 -06:00
vhost vhost_vdpa: support PACKED when setting-getting vring_base 2023-06-09 12:08:04 -04:00
video fbdev: bw2: Convert to platform remove callback returning void 2023-05-30 18:33:25 +02:00
virt Devicetree updates for v6.4, part 2: 2023-04-27 10:09:05 -07:00
virtio - Nick Piggin's "shoot lazy tlbs" series, to improve the peformance of 2023-04-27 19:42:02 -07:00
vlynq
w1 Char/Misc drivers for 6.4-rc1 2023-04-27 12:07:50 -07:00
watchdog linux-watchdog 6.4-rc1 tag 2023-05-04 18:33:56 -07:00
xen xen: branch for v6.4-rc4 2023-05-27 09:42:56 -07:00
zorro
Kconfig
Makefile