Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-01-01 15:51:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
dbe245cdf5
linux/drivers/iommu
History
Jason Gunthorpe dbe245cdf5 iommufd: Call iopt_area_contig_done() under the lock 
The iter internally holds a pointer to the area and
iopt_area_contig_done() will dereference it. The pointer is not valid
outside the iova_rwsem.

syzkaller reports:

  BUG: KASAN: slab-use-after-free in iommufd_access_unpin_pages+0x363/0x370
  Read of size 8 at addr ffff888022286e20 by task syz-executor669/5771

  CPU: 0 PID: 5771 Comm: syz-executor669 Not tainted 6.4.0-rc5-syzkaller-00313-g4c605260bc60 #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
  Call Trace:
   <TASK>
   dump_stack_lvl+0xd9/0x150
   print_address_description.constprop.0+0x2c/0x3c0
   kasan_report+0x11c/0x130
   iommufd_access_unpin_pages+0x363/0x370
   iommufd_test_access_unmap+0x24b/0x390
   iommufd_access_notify_unmap+0x24c/0x3a0
   iopt_unmap_iova_range+0x4c4/0x5f0
   iopt_unmap_all+0x27/0x50
   iommufd_ioas_unmap+0x3d0/0x490
   iommufd_fops_ioctl+0x317/0x4b0
   __x64_sys_ioctl+0x197/0x210
   do_syscall_64+0x39/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd
  RIP: 0033:0x7fec1dae3b19
  Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
  RSP: 002b:00007fec1da74308 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  RAX: ffffffffffffffda RBX: 00007fec1db6b438 RCX: 00007fec1dae3b19
  RDX: 0000000020000100 RSI: 0000000000003b86 RDI: 0000000000000003
  RBP: 00007fec1db6b430 R08: 00007fec1da74700 R09: 0000000000000000
  R10: 00007fec1da74700 R11: 0000000000000246 R12: 00007fec1db6b43c
  R13: 00007fec1db39074 R14: 6d6f692f7665642f R15: 0000000000022000
   </TASK>

  Allocated by task 5770:
   kasan_save_stack+0x22/0x40
   kasan_set_track+0x25/0x30
   __kasan_kmalloc+0xa2/0xb0
   iopt_alloc_area_pages+0x94/0x560
   iopt_map_user_pages+0x205/0x4e0
   iommufd_ioas_map+0x329/0x5f0
   iommufd_fops_ioctl+0x317/0x4b0
   __x64_sys_ioctl+0x197/0x210
   do_syscall_64+0x39/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

  Freed by task 5770:
   kasan_save_stack+0x22/0x40
   kasan_set_track+0x25/0x30
   kasan_save_free_info+0x2e/0x40
   ____kasan_slab_free+0x160/0x1c0
   slab_free_freelist_hook+0x8b/0x1c0
   __kmem_cache_free+0xaf/0x2d0
   iopt_unmap_iova_range+0x288/0x5f0
   iopt_unmap_all+0x27/0x50
   iommufd_ioas_unmap+0x3d0/0x490
   iommufd_fops_ioctl+0x317/0x4b0
   __x64_sys_ioctl+0x197/0x210
   do_syscall_64+0x39/0xb0
   entry_SYSCALL_64_after_hwframe+0x63/0xcd

The parallel unmap free'd iter->area the instant the lock was released.

Fixes: 51fe6141f0 ("iommufd: Data structure to provide IOVA to PFN mapping")
Link: https://lore.kernel.org/r/2-v2-9a03761d445d+54-iommufd_syz2_jgg@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reported-by: syzbot+6c8d756f238a75fc3eb8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/000000000000905eba05fe38e9f2@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
2023-06-26 09:00:23 -03:00
..
amd iommu/amd: Fix possible memory leak of 'domain' 2023-06-16 16:36:45 +02:00
arm Merge tag 'drm-msm-fixes-2023-05-17' of https://gitlab.freedesktop.org/drm/msm into drm-fixes 2023-05-19 11:22:23 +10:00
intel IOMMU Updates for Linux 6.4 2023-04-30 13:00:38 -07:00
iommufd iommufd: Call iopt_area_contig_done() under the lock 2023-06-26 09:00:23 -03:00
apple-dart.c iommu/apple-dart: Convert to platform remove callback returning void 2023-03-31 10:01:55 +02:00
dma-iommu.c mm, treewide: redefine MAX_ORDER sanely 2023-04-05 19:42:46 -07:00
dma-iommu.h iommu/dma: Make header private 2022-09-09 09:26:22 +02:00
exynos-iommu.c Merge branches 'iommu/fixes', 'arm/allwinner', 'arm/exynos', 'arm/mediatek', 'arm/omap', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'ppc/pamu', 'unisoc', 'x86/vt-d', 'x86/amd', 'core' and 'platform-remove_new' into next 2023-04-14 13:45:50 +02:00
fsl_pamu_domain.c iommu/fsl_pamu: Fix compile error after adding set_platform_dma_ops 2023-01-13 22:30:55 +01:00
fsl_pamu_domain.h
fsl_pamu.c iommu/fsl: fix all kernel-doc warnings in fsl_pamu.c 2023-03-22 14:50:15 +01:00
fsl_pamu.h
hyperv-iommu.c iommu/hyper-v: Allow hyperv irq remapping without x2apic 2022-11-28 16:48:20 +00:00
io-pgfault.c iommu: Rename iommu-sva-lib.{c,h} 2022-11-03 15:47:54 +01:00
io-pgtable-arm-v7s.c iommu/io-pgtable-arm-v7s: Remove map/unmap 2022-11-19 10:44:15 +01:00
io-pgtable-arm.c iommu/io-pgtable-arm: Remove map/unmap 2022-11-19 10:44:15 +01:00
io-pgtable-arm.h
io-pgtable-dart.c iommu/io-pgtable-dart: Add DART PTE support for t6000 2022-09-26 13:49:40 +02:00
io-pgtable.c Merge branches 'apple/dart', 'arm/mediatek', 'arm/omap', 'arm/smmu', 'virtio', 'x86/vt-d', 'x86/amd' and 'core' into next 2022-09-26 15:52:31 +02:00
iommu-debugfs.c
iommu-sva.c IOMMU Updates for Linux 6.4 2023-04-30 13:00:38 -07:00
iommu-sva.h iommu: Remove ioasid infrastructure 2023-03-31 10:03:31 +02:00
iommu-sysfs.c
iommu-traces.c iommu: Remove detach_dev callback 2023-01-13 16:39:18 +01:00
iommu.c IOMMU Updates for Linux 6.4 2023-04-30 13:00:38 -07:00
iova.c iommu/iova: Fix alloc iova overflows issue 2023-01-13 13:46:31 +01:00
ipmmu-vmsa.c Merge branches 'iommu/fixes', 'arm/allwinner', 'arm/exynos', 'arm/mediatek', 'arm/omap', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'ppc/pamu', 'unisoc', 'x86/vt-d', 'x86/amd', 'core' and 'platform-remove_new' into next 2023-04-14 13:45:50 +02:00
irq_remapping.c
irq_remapping.h
Kconfig iommu: Make IPMMU_VMSA dependencies more strict 2023-05-22 17:00:34 +02:00
Makefile iommu: Remove ioasid infrastructure 2023-03-31 10:03:31 +02:00
msm_iommu_hw-8xxx.h
msm_iommu.c iommu/msm: Convert to platform remove callback returning void 2023-03-31 10:01:57 +02:00
msm_iommu.h
mtk_iommu_v1.c iommu/mtk_iommu_v1: Convert to platform remove callback returning void 2023-03-31 10:01:58 +02:00
mtk_iommu.c iommu/mediatek: Flush IOTLB completely only if domain has been attached 2023-06-01 11:50:13 +02:00
of_iommu.c iommu/of: mark an unused function as __maybe_unused 2023-02-16 10:17:31 +01:00
omap-iommu-debug.c iommu/omap: Fix buffer overflow in debugfs 2022-09-07 10:42:28 +02:00
omap-iommu.c Merge branches 'iommu/fixes', 'arm/allwinner', 'arm/exynos', 'arm/mediatek', 'arm/omap', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'ppc/pamu', 'unisoc', 'x86/vt-d', 'x86/amd', 'core' and 'platform-remove_new' into next 2023-04-14 13:45:50 +02:00
omap-iommu.h
omap-iopgtable.h
rockchip-iommu.c iommu/rockchip: Fix unwind goto issue 2023-05-22 17:03:08 +02:00
s390-iommu.c iommufd for 6.3 2023-02-24 14:34:12 -08:00
sprd-iommu.c Merge branches 'iommu/fixes', 'arm/allwinner', 'arm/exynos', 'arm/mediatek', 'arm/omap', 'arm/renesas', 'arm/rockchip', 'arm/smmu', 'ppc/pamu', 'unisoc', 'x86/vt-d', 'x86/amd', 'core' and 'platform-remove_new' into next 2023-04-14 13:45:50 +02:00
sun50i-iommu.c iommu/sun50i: remove MODULE_LICENSE in non-modules 2023-04-13 13:13:52 -07:00
tegra-gart.c iommu: Add set_platform_dma_ops callbacks 2023-01-13 16:39:16 +01:00
tegra-smmu.c IOMMU Updates for Linux v6.3: 2023-02-24 13:40:13 -08:00
virtio-iommu.c iommu: Propagate return value in ->attach_dev callback functions 2022-11-01 14:39:59 -03:00