From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8188CC3A5A2 for ; Fri, 23 Aug 2019 14:40:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 544002054F for ; Fri, 23 Aug 2019 14:40:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390533AbfHWOkO (ORCPT ); Fri, 23 Aug 2019 10:40:14 -0400 Received: from mx1.redhat.com ([209.132.183.28]:42286 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389691AbfHWOkO (ORCPT ); Fri, 23 Aug 2019 10:40:14 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8663C309175F; Fri, 23 Aug 2019 14:40:14 +0000 (UTC) Received: from x1.home (ovpn-116-99.phx2.redhat.com [10.3.116.99]) by smtp.corp.redhat.com (Postfix) with ESMTP id 515BE5F9D2; Fri, 23 Aug 2019 14:40:13 +0000 (UTC) Date: Fri, 23 Aug 2019 08:40:12 -0600 From: Alex Williamson To: Paul Mackerras Cc: Alexey Kardashevskiy , linuxppc-dev@lists.ozlabs.org, David Gibson , kvm-ppc@vger.kernel.org, kvm@vger.kernel.org, Jose Ricardo Ziviani Subject: Re: [PATCH kernel] vfio/spapr_tce: Fix incorrect tce_iommu_group memory free Message-ID: <20190823084012.202ba70f@x1.home> In-Reply-To: <20190823053241.hogc44em2ccwdwq4@oak.ozlabs.ibm.com> References: <20190819015117.94878-1-aik@ozlabs.ru> <20190823053241.hogc44em2ccwdwq4@oak.ozlabs.ibm.com> Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Fri, 23 Aug 2019 14:40:14 +0000 (UTC) Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On Fri, 23 Aug 2019 15:32:41 +1000 Paul Mackerras wrote: > On Mon, Aug 19, 2019 at 11:51:17AM +1000, Alexey Kardashevskiy wrote: > > The @tcegrp variable is used in 1) a loop over attached groups > > 2) it stores a pointer to a newly allocated tce_iommu_group if 1) found > > nothing. However the error handler does not distinguish how we got there > > and incorrectly releases memory for a found+incompatible group. > > > > This fixes it by adding another error handling case. > > > > Fixes: 0bd971676e68 ("powerpc/powernv/npu: Add compound IOMMU groups") > > Signed-off-by: Alexey Kardashevskiy > > Good catch. This is potentially nasty since it is a double free. > Alex, are you going to take this, or would you prefer it goes via > Michael Ellerman's tree? > > Reviewed-by: Paul Mackerras I can take it, I've got it queued, but was hoping for an ack/review by you or David. I'll add the R-b and push it out to my next branch. Thanks, Alex From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AF17C3A5A2 for ; Fri, 23 Aug 2019 14:42:49 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 81AD82054F for ; Fri, 23 Aug 2019 14:42:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 81AD82054F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 46FPJQ084HzDsNg for ; Sat, 24 Aug 2019 00:42:46 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=redhat.com (client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=alex.williamson@redhat.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 46FPFc68GczDrgp for ; Sat, 24 Aug 2019 00:40:16 +1000 (AEST) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8663C309175F; Fri, 23 Aug 2019 14:40:14 +0000 (UTC) Received: from x1.home (ovpn-116-99.phx2.redhat.com [10.3.116.99]) by smtp.corp.redhat.com (Postfix) with ESMTP id 515BE5F9D2; Fri, 23 Aug 2019 14:40:13 +0000 (UTC) Date: Fri, 23 Aug 2019 08:40:12 -0600 From: Alex Williamson To: Paul Mackerras Subject: Re: [PATCH kernel] vfio/spapr_tce: Fix incorrect tce_iommu_group memory free Message-ID: <20190823084012.202ba70f@x1.home> In-Reply-To: <20190823053241.hogc44em2ccwdwq4@oak.ozlabs.ibm.com> References: <20190819015117.94878-1-aik@ozlabs.ru> <20190823053241.hogc44em2ccwdwq4@oak.ozlabs.ibm.com> Organization: Red Hat MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Fri, 23 Aug 2019 14:40:14 +0000 (UTC) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kvm@vger.kernel.org, Jose Ricardo Ziviani , Alexey Kardashevskiy , kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, David Gibson Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Fri, 23 Aug 2019 15:32:41 +1000 Paul Mackerras wrote: > On Mon, Aug 19, 2019 at 11:51:17AM +1000, Alexey Kardashevskiy wrote: > > The @tcegrp variable is used in 1) a loop over attached groups > > 2) it stores a pointer to a newly allocated tce_iommu_group if 1) found > > nothing. However the error handler does not distinguish how we got there > > and incorrectly releases memory for a found+incompatible group. > > > > This fixes it by adding another error handling case. > > > > Fixes: 0bd971676e68 ("powerpc/powernv/npu: Add compound IOMMU groups") > > Signed-off-by: Alexey Kardashevskiy > > Good catch. This is potentially nasty since it is a double free. > Alex, are you going to take this, or would you prefer it goes via > Michael Ellerman's tree? > > Reviewed-by: Paul Mackerras I can take it, I've got it queued, but was hoping for an ack/review by you or David. I'll add the R-b and push it out to my next branch. Thanks, Alex From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Williamson Date: Fri, 23 Aug 2019 14:40:12 +0000 Subject: Re: [PATCH kernel] vfio/spapr_tce: Fix incorrect tce_iommu_group memory free Message-Id: <20190823084012.202ba70f@x1.home> List-Id: References: <20190819015117.94878-1-aik@ozlabs.ru> <20190823053241.hogc44em2ccwdwq4@oak.ozlabs.ibm.com> In-Reply-To: <20190823053241.hogc44em2ccwdwq4@oak.ozlabs.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Paul Mackerras Cc: Alexey Kardashevskiy , linuxppc-dev@lists.ozlabs.org, David Gibson , kvm-ppc@vger.kernel.org, kvm@vger.kernel.org, Jose Ricardo Ziviani On Fri, 23 Aug 2019 15:32:41 +1000 Paul Mackerras wrote: > On Mon, Aug 19, 2019 at 11:51:17AM +1000, Alexey Kardashevskiy wrote: > > The @tcegrp variable is used in 1) a loop over attached groups > > 2) it stores a pointer to a newly allocated tce_iommu_group if 1) found > > nothing. However the error handler does not distinguish how we got there > > and incorrectly releases memory for a found+incompatible group. > > > > This fixes it by adding another error handling case. > > > > Fixes: 0bd971676e68 ("powerpc/powernv/npu: Add compound IOMMU groups") > > Signed-off-by: Alexey Kardashevskiy > > Good catch. This is potentially nasty since it is a double free. > Alex, are you going to take this, or would you prefer it goes via > Michael Ellerman's tree? > > Reviewed-by: Paul Mackerras I can take it, I've got it queued, but was hoping for an ack/review by you or David. I'll add the R-b and push it out to my next branch. Thanks, Alex