From: Jean-Philippe Brucker <jean-philippe@linaro.org>
To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org
Cc: hpa@zytor.com, linux-kernel@vger.kernel.org, joro@8bytes.org,
will@kernel.org, iommu@lists.linux-foundation.org,
robin.murphy@arm.com, hch@lst.de,
Jean-Philippe Brucker <jean-philippe@linaro.org>
Subject: [PATCH] x86/dma: Tear down DMA ops on driver unbind
Date: Wed, 14 Apr 2021 10:26:34 +0200 [thread overview]
Message-ID: <20210414082633.877461-1-jean-philippe@linaro.org> (raw)
Since commit 08a27c1c3ecf ("iommu: Add support to change default domain
of an iommu group") a user can switch a device between IOMMU and direct
DMA through sysfs. This doesn't work for AMD IOMMU at the moment because
dev->dma_ops is not cleared when switching from a DMA to an identity
IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an
identity domain, causing an oops:
# echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind
# echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type
# echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind
...
[ 190.017587] BUG: kernel NULL pointer dereference, address: 0000000000000028
...
[ 190.027375] Call Trace:
[ 190.027561] iommu_dma_alloc+0xd0/0x100
[ 190.027840] e1000e_setup_tx_resources+0x56/0x90
[ 190.028173] e1000e_open+0x75/0x5b0
Implement arch_teardown_dma_ops() on x86 to clear the device's dma_ops
pointer during driver unbind.
Fixes: 08a27c1c3ecf ("iommu: Add support to change default domain of an iommu group")
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
---
arch/x86/Kconfig | 1 +
arch/x86/kernel/pci-dma.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 2792879d398e..2c90f8de3e20 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -85,6 +85,7 @@ config X86
select ARCH_HAS_STRICT_MODULE_RWX
select ARCH_HAS_SYNC_CORE_BEFORE_USERMODE
select ARCH_HAS_SYSCALL_WRAPPER
+ select ARCH_HAS_TEARDOWN_DMA_OPS if IOMMU_DMA
select ARCH_HAS_UBSAN_SANITIZE_ALL
select ARCH_HAS_DEBUG_WX
select ARCH_HAVE_NMI_SAFE_CMPXCHG
diff --git a/arch/x86/kernel/pci-dma.c b/arch/x86/kernel/pci-dma.c
index de234e7a8962..60a4ec22d849 100644
--- a/arch/x86/kernel/pci-dma.c
+++ b/arch/x86/kernel/pci-dma.c
@@ -154,3 +154,10 @@ static void via_no_dac(struct pci_dev *dev)
DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_VIA, PCI_ANY_ID,
PCI_CLASS_BRIDGE_PCI, 8, via_no_dac);
#endif
+
+#ifdef CONFIG_ARCH_HAS_TEARDOWN_DMA_OPS
+void arch_teardown_dma_ops(struct device *dev)
+{
+ set_dma_ops(dev, NULL);
+}
+#endif
--
2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Jean-Philippe Brucker <jean-philippe@linaro.org>
To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, x86@kernel.org
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>,
will@kernel.org, linux-kernel@vger.kernel.org,
iommu@lists.linux-foundation.org, hpa@zytor.com,
robin.murphy@arm.com, hch@lst.de
Subject: [PATCH] x86/dma: Tear down DMA ops on driver unbind
Date: Wed, 14 Apr 2021 10:26:34 +0200 [thread overview]
Message-ID: <20210414082633.877461-1-jean-philippe@linaro.org> (raw)
Since commit 08a27c1c3ecf ("iommu: Add support to change default domain
of an iommu group") a user can switch a device between IOMMU and direct
DMA through sysfs. This doesn't work for AMD IOMMU at the moment because
dev->dma_ops is not cleared when switching from a DMA to an identity
IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an
identity domain, causing an oops:
# echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind
# echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type
# echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind
...
[ 190.017587] BUG: kernel NULL pointer dereference, address: 0000000000000028
...
[ 190.027375] Call Trace:
[ 190.027561] iommu_dma_alloc+0xd0/0x100
[ 190.027840] e1000e_setup_tx_resources+0x56/0x90
[ 190.028173] e1000e_open+0x75/0x5b0
Implement arch_teardown_dma_ops() on x86 to clear the device's dma_ops
pointer during driver unbind.
Fixes: 08a27c1c3ecf ("iommu: Add support to change default domain of an iommu group")
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
---
arch/x86/Kconfig | 1 +
arch/x86/kernel/pci-dma.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 2792879d398e..2c90f8de3e20 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -85,6 +85,7 @@ config X86
select ARCH_HAS_STRICT_MODULE_RWX
select ARCH_HAS_SYNC_CORE_BEFORE_USERMODE
select ARCH_HAS_SYSCALL_WRAPPER
+ select ARCH_HAS_TEARDOWN_DMA_OPS if IOMMU_DMA
select ARCH_HAS_UBSAN_SANITIZE_ALL
select ARCH_HAS_DEBUG_WX
select ARCH_HAVE_NMI_SAFE_CMPXCHG
diff --git a/arch/x86/kernel/pci-dma.c b/arch/x86/kernel/pci-dma.c
index de234e7a8962..60a4ec22d849 100644
--- a/arch/x86/kernel/pci-dma.c
+++ b/arch/x86/kernel/pci-dma.c
@@ -154,3 +154,10 @@ static void via_no_dac(struct pci_dev *dev)
DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_VIA, PCI_ANY_ID,
PCI_CLASS_BRIDGE_PCI, 8, via_no_dac);
#endif
+
+#ifdef CONFIG_ARCH_HAS_TEARDOWN_DMA_OPS
+void arch_teardown_dma_ops(struct device *dev)
+{
+ set_dma_ops(dev, NULL);
+}
+#endif
--
2.31.1
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next reply other threads:[~2021-04-14 8:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-14 8:26 Jean-Philippe Brucker [this message]
2021-04-14 8:26 ` [PATCH] x86/dma: Tear down DMA ops on driver unbind Jean-Philippe Brucker
2021-04-15 9:00 ` [tip: x86/urgent] " tip-bot2 for Jean-Philippe Brucker
2021-04-17 12:06 ` Borislav Petkov
2021-04-19 8:59 ` Jean-Philippe Brucker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210414082633.877461-1-jean-philippe@linaro.org \
--to=jean-philippe@linaro.org \
--cc=bp@alien8.de \
--cc=hch@lst.de \
--cc=hpa@zytor.com \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=robin.murphy@arm.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.