linux/drivers/iommu
Alex Williamson 86dc40c7ea iommu/vt-d: Fix unmap_pages support
When supporting only the .map and .unmap callbacks of iommu_ops,
the IOMMU driver can make assumptions about the size and alignment
used for mappings based on the driver provided pgsize_bitmap.  VT-d
previously used essentially PAGE_MASK for this bitmap as any power
of two mapping was acceptably filled by native page sizes.

However, with the .map_pages and .unmap_pages interface we're now
getting page-size and count arguments.  If we simply combine these
as (page-size * count) and make use of the previous map/unmap
functions internally, any size and alignment assumptions are very
different.

As an example, a given vfio device assignment VM will often create
a 4MB mapping at IOVA pfn [0x3fe00 - 0x401ff].  On a system that
does not support IOMMU super pages, the unmap_pages interface will
ask to unmap 1024 4KB pages at the base IOVA.  dma_pte_clear_level()
will recurse down to level 2 of the page table where the first half
of the pfn range exactly matches the entire pte level.  We clear the
pte, increment the pfn by the level size, but (oops) the next pte is
on a new page, so we exit the loop an pop back up a level.  When we
then update the pfn based on that higher level, we seem to assume
that the previous pfn value was at the start of the level.  In this
case the level size is 256K pfns, which we add to the base pfn and
get a results of 0x7fe00, which is clearly greater than 0x401ff,
so we're done.  Meanwhile we never cleared the ptes for the remainder
of the range.  When the VM remaps this range, we're overwriting valid
ptes and the VT-d driver complains loudly, as reported by the user
report linked below.

The fix for this seems relatively simple, if each iteration of the
loop in dma_pte_clear_level() is assumed to clear to the end of the
level pte page, then our next pfn should be calculated from level_pfn
rather than our working pfn.

Fixes: 3f34f12597 ("iommu/vt-d: Implement map/unmap_pages() iommu_ops callback")
Reported-by: Ajay Garg <ajaygargnsit@gmail.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Tested-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Link: https://lore.kernel.org/all/20211002124012.18186-1-ajaygargnsit@gmail.com/
Link: https://lore.kernel.org/r/163659074748.1617923.12716161410774184024.stgit@omen
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/20211126135556.397932-3-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2021-11-26 22:54:47 +01:00
..
amd iommu/amd: Clarify AMD IOMMUv2 initialization messages 2021-11-26 22:54:20 +01:00
arm Merge branches 'apple/dart', 'arm/mediatek', 'arm/renesas', 'arm/smmu', 'arm/tegra', 'iommu/fixes', 'x86/amd', 'x86/vt-d' and 'core' into next 2021-10-31 22:26:53 +01:00
intel iommu/vt-d: Fix unmap_pages support 2021-11-26 22:54:47 +01:00
apple-dart.c pci-v5.16-changes 2021-11-06 14:36:12 -07:00
dma-iommu.c Merge branches 'apple/dart', 'arm/mediatek', 'arm/renesas', 'arm/smmu', 'arm/tegra', 'iommu/fixes', 'x86/amd', 'x86/vt-d' and 'core' into next 2021-10-31 22:26:53 +01:00
exynos-iommu.c iommu/exynos: Drop IOVA cookie management 2021-08-18 13:25:31 +02:00
fsl_pamu_domain.c iommu: Streamline registration interface 2021-04-16 17:20:45 +02:00
fsl_pamu_domain.h iommu/fsl_pamu: remove the snoop_id field 2021-04-07 10:56:52 +02:00
fsl_pamu.c iommu/fsl_pamu: hardcode the window address and size in pamu_config_ppaace 2021-04-07 10:56:52 +02:00
fsl_pamu.h iommu/fsl_pamu: hardcode the window address and size in pamu_config_ppaace 2021-04-07 10:56:52 +02:00
hyperv-iommu.c iommu/hyperv: setup an IO-APIC IRQ remapping domain for root partition 2021-02-11 08:47:07 +00:00
io-pgfault.c iommu: Add a page fault handler 2021-04-07 10:54:29 +02:00
io-pgtable-arm-v7s.c iommu/io-pgtable: Abstract iommu_iotlb_gather access 2021-08-20 17:14:27 +02:00
io-pgtable-arm.c Merge branches 'apple/dart', 'arm/smmu', 'iommu/fixes', 'x86/amd', 'x86/vt-d' and 'core' into next 2021-08-20 17:14:35 +02:00
io-pgtable-arm.h
io-pgtable.c iommu/io-pgtable: Add DART pagetable format 2021-08-12 13:15:02 +02:00
ioasid.c
iommu-debugfs.c
iommu-sva-lib.c
iommu-sva-lib.h iommu: Add a page fault handler 2021-04-07 10:54:29 +02:00
iommu-sysfs.c
iommu-traces.c
iommu.c IOMMU Updates for Linux v5.16: 2021-11-04 11:11:24 -07:00
iova.c virtio,vdpa,vhost: features, fixes 2021-09-11 14:48:42 -07:00
ipmmu-vmsa.c iommu/ipmmu-vmsa: Hook up r8a77980 DT matching code 2021-09-28 11:43:50 +02:00
irq_remapping.c
irq_remapping.h
Kconfig iommu/arm: fix ARM_SMMU_QCOM compilation 2021-10-13 21:28:44 +02:00
Makefile iommu/dart: Add DART iommu driver 2021-08-12 13:15:02 +02:00
msm_iommu_hw-8xxx.h
msm_iommu.c iommu: Drop unnecessary of_iommu.h includes 2021-06-08 14:15:46 +02:00
msm_iommu.h
mtk_iommu_v1.c iommu/mtk: Drop IOVA cookie management 2021-08-18 13:25:32 +02:00
mtk_iommu.c iommu/mediatek: Fix out-of-range warning with clang 2021-09-28 11:59:11 +02:00
mtk_iommu.h iommu/mediatek: Add mt8192 support 2021-02-01 11:31:19 +00:00
of_iommu.c iommu: Remove unused of_get_dma_window() 2021-06-08 14:15:46 +02:00
omap-iommu-debug.c
omap-iommu.c iommu: Drop unnecessary of_iommu.h includes 2021-06-08 14:15:46 +02:00
omap-iommu.h
omap-iopgtable.h
rockchip-iommu.c iommu/rockchip: Fix PAGE_DESC_HI_MASKs for RK3568 2021-11-26 22:54:20 +01:00
s390-iommu.c s390/pci: improve DMA translation init and exit 2021-08-25 11:03:34 +02:00
sprd-iommu.c iommu/sprd: Drop IOVA cookie management 2021-08-18 13:25:32 +02:00
sun50i-iommu.c iommu/sun50i: Drop IOVA cookie management 2021-08-18 13:25:32 +02:00
tegra-gart.c iommu: Streamline registration interface 2021-04-16 17:20:45 +02:00
tegra-smmu.c iommu/tegra-smmu: Use devm_bitmap_zalloc when applicable 2021-10-18 13:39:41 +02:00
virtio-iommu.c iommu/virtio: Drop IOVA cookie management 2021-08-18 13:25:32 +02:00