leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
18abda7a2d
linux/drivers/iommu
History
Liu Yi L 18abda7a2d iommu/vt-d: Fix general protection fault in aux_detach_device() 
The aux-domain attach/detach are not tracked, some data structures might
be used after free. This causes general protection faults when multiple
subdevices are created and assigned to a same guest machine:

  | general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] SMP NOPTI
  | RIP: 0010:intel_iommu_aux_detach_device+0x12a/0x1f0
  | [...]
  | Call Trace:
  |  iommu_aux_detach_device+0x24/0x70
  |  vfio_mdev_detach_domain+0x3b/0x60
  |  ? vfio_mdev_set_domain+0x50/0x50
  |  iommu_group_for_each_dev+0x4f/0x80
  |  vfio_iommu_detach_group.isra.0+0x22/0x30
  |  vfio_iommu_type1_detach_group.cold+0x71/0x211
  |  ? find_exported_symbol_in_section+0x4a/0xd0
  |  ? each_symbol_section+0x28/0x50
  |  __vfio_group_unset_container+0x4d/0x150
  |  vfio_group_try_dissolve_container+0x25/0x30
  |  vfio_group_put_external_user+0x13/0x20
  |  kvm_vfio_group_put_external_user+0x27/0x40 [kvm]
  |  kvm_vfio_destroy+0x45/0xb0 [kvm]
  |  kvm_put_kvm+0x1bb/0x2e0 [kvm]
  |  kvm_vm_release+0x22/0x30 [kvm]
  |  __fput+0xcc/0x260
  |  ____fput+0xe/0x10
  |  task_work_run+0x8f/0xb0
  |  do_exit+0x358/0xaf0
  |  ? wake_up_state+0x10/0x20
  |  ? signal_wake_up_state+0x1a/0x30
  |  do_group_exit+0x47/0xb0
  |  __x64_sys_exit_group+0x18/0x20
  |  do_syscall_64+0x57/0x1d0
  |  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fix the crash by tracking the subdevices when attaching and detaching
aux-domains.

Fixes: 67b8e02b5e ("iommu/vt-d: Aux-domain specific domain attach/detach")
Co-developed-by: Xin Zeng <xin.zeng@intel.com>
Signed-off-by: Xin Zeng <xin.zeng@intel.com>
Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
Link: https://lore.kernel.org/r/1609949037-25291-3-git-send-email-yi.l.liu@intel.com
Signed-off-by: Will Deacon <will@kernel.org>
2021-01-07 14:35:14 +00:00
..
amd iommu/amd: Stop irq_remapping_select() matching when remapping is disabled 2021-01-05 19:24:12 +00:00
arm iommu/arm-smmu-qcom: Initialize SCTLR of the bypass context 2021-01-07 14:10:46 +00:00
intel iommu/vt-d: Fix general protection fault in aux_detach_device() 2021-01-07 14:35:14 +00:00
dma-iommu.c Revert "iommu: Add quirk for Intel graphic devices in map_sg" 2021-01-07 13:27:14 +00:00
exynos-iommu.c iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() 2020-09-24 10:48:29 +02:00
fsl_pamu_domain.c iommu/pamu: Use dev_iommu_priv_get/set() 2020-06-30 11:59:48 +02:00
fsl_pamu_domain.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 266 2019-06-05 17:30:28 +02:00
fsl_pamu.c iommu/pamu: Replace use of kzfree with kfree_sensitive 2020-09-18 10:59:04 +02:00
fsl_pamu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 266 2019-06-05 17:30:28 +02:00
hyperv-iommu.c iommu/hyper-v: Remove I/O-APIC ID check from hyperv_irq_remapping_select() 2020-12-02 11:22:55 +01:00
io-pgtable-arm-v7s.c iommu/io-pgtable: Remove tlb_flush_leaf 2020-12-08 15:23:37 +00:00
io-pgtable-arm.c IOMMU updates for 5.11 2020-12-16 13:58:47 -08:00
io-pgtable-arm.h iommu/io-pgtable-arm: Move some definitions to a header 2020-09-28 23:48:06 +01:00
io-pgtable.c iommu/io-pgtable-arm: Rationalise TCR handling 2020-01-10 15:52:24 +00:00
ioasid.c iommu/ioasid: Add ioasid references 2020-11-23 14:16:55 +00:00
iommu-debugfs.c
iommu-sva-lib.c iommu/sva: Add PASID helpers 2020-11-23 14:16:55 +00:00
iommu-sva-lib.h iommu/sva: Add PASID helpers 2020-11-23 14:16:55 +00:00
iommu-sysfs.c drivers/iommu: Export core IOMMU API symbols to permit modular drivers 2019-12-23 14:06:05 +01:00
iommu-traces.c
iommu.c Merge branch 'for-next/iommu/fixes' into for-next/iommu/core 2020-12-08 15:21:49 +00:00
iova.c iommu/iova: fix 'domain' typos 2021-01-05 18:48:57 +00:00
ipmmu-vmsa.c iommu/io-pgtable: Remove tlb_flush_leaf 2020-12-08 15:23:37 +00:00
irq_remapping.c x86: Kill all traces of irq_remapping_get_irq_domain() 2020-10-28 20:26:28 +01:00
irq_remapping.h x86: Kill all traces of irq_remapping_get_irq_domain() 2020-10-28 20:26:28 +01:00
Kconfig iommu/arm-smmu-v3: Implement iommu_sva_bind/unbind() 2020-11-23 14:16:55 +00:00
Makefile iommu/sva: Add PASID helpers 2020-11-23 14:16:55 +00:00
msm_iommu_hw-8xxx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 267 2019-06-05 17:30:29 +02:00
msm_iommu.c iommu/io-pgtable: Remove tlb_flush_leaf 2020-12-08 15:23:37 +00:00
msm_iommu.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 267 2019-06-05 17:30:29 +02:00
mtk_iommu_v1.c iommu/mediatek: Do no use dev->archdata.iommu 2020-06-30 11:59:48 +02:00
mtk_iommu.c iommu/io-pgtable: Remove tlb_flush_leaf 2020-12-08 15:23:37 +00:00
mtk_iommu.h iommu/mediatek: Add support for MT8167 2020-09-18 10:29:12 +02:00
of_iommu.c of/device: Add input id to of_dma_configure() 2020-07-28 15:51:32 +01:00
omap-iommu-debug.c iommu/omap: Check for failure of a call to omap_iommu_dump_ctx 2020-07-22 15:02:33 +02:00
omap-iommu.c Merge branches 'arm/renesas', 'arm/qcom', 'arm/mediatek', 'arm/omap', 'arm/exynos', 'arm/smmu', 'ppc/pamu', 'x86/vt-d', 'x86/amd' and 'core' into next 2020-07-29 14:42:00 +02:00
omap-iommu.h iommu/omap: add support for late attachment of iommu devices 2019-08-09 17:37:10 +02:00
omap-iopgtable.h iommu/omap: Fix -Woverflow warnings when compiling on 64-bit architectures 2020-03-04 16:24:46 +01:00
rockchip-iommu.c iommu/rockchip: Use dev_iommu_priv_get/set() 2020-06-30 11:59:48 +02:00
s390-iommu.c s390 updates for the 5.8 merge window 2020-06-08 12:05:31 -07:00
sun50i-iommu.c iommu/sun50i: Fix set-but-not-used variable warning 2020-09-04 13:39:45 +02:00
tegra-gart.c iommu/tegra: Use dev_iommu_priv_get/set() 2020-06-30 11:59:48 +02:00
tegra-smmu.c iommu/tegra-smmu: Add PCI support 2020-11-25 11:04:41 +00:00
virtio-iommu.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00