From: Zhangfei Gao <zhangfei.gao@linaro.org> To: Fenghua Yu <fenghua.yu@intel.com>, Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>, Dave Hansen <dave.hansen@intel.com>, Tony Luck <tony.luck@intel.com>, Ashok Raj <ashok.raj@intel.com>, Ravi V Shankar <ravi.v.shankar@intel.com>, Peter Zijlstra <peterz@infradead.org>, robin.murphy@arm.com, Dave Hansen <dave.hansen@linux.intel.com>, x86 <x86@kernel.org>, linux-kernel <linux-kernel@vger.kernel.org>, iommu <iommu@lists.linux-foundation.org>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>, Josh Poimboeuf <jpoimboe@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, will@kernel.org Subject: Re: [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit Date: Tue, 26 Apr 2022 13:04:45 +0800 [thread overview] Message-ID: <51514a02-0de9-2f9e-ec0e-c86e147fa74c@linaro.org> (raw) In-Reply-To: <YmdzFFx7fN586jcf@fyu1.sc.intel.com> On 2022/4/26 下午12:20, Fenghua Yu wrote: > Hi, Jean and Zhangfei, > > On Mon, Apr 25, 2022 at 05:13:02PM +0100, Jean-Philippe Brucker wrote: >> Could we move mm_pasid_drop() to __mmdrop() instead of __mmput()? For Arm >> we do need to hold the mm_count until unbind(), and mmgrab()/mmdrop() is >> also part of Lu's rework [1]. > Is this a right fix for the issue? Could you please test it on ARM? > I don't have an ARM machine. > > Thanks. > > -Fenghua > > From 84aa68f6174439d863c40cdc2db0e1b89d620dd0 Mon Sep 17 00:00:00 2001 > From: Fenghua Yu <fenghua.yu@intel.com> > Date: Fri, 15 Apr 2022 00:51:33 -0700 > Subject: [PATCH] iommu/sva: Fix PASID use-after-free issue > > A PASID might be still used on ARM after it is freed in __mmput(). > > process: > open()->sva_bind()->ioasid_alloc() = N; // Get PASID N for the mm > exit(); > exit_mm()->__mmput()->mm_pasid_drop()->mm->pasid = -1; // PASID -1 > exit_files()->release(dev)->sva_unbind()->use mm->pasid; // Failure > > To avoid the use-after-free issue, free the PASID after no device uses it, > i.e. after all devices are unbound from the mm. > > sva_bind()/sva_unbind() call mmgrab()/mmdrop() to track mm->mm_count. > __mmdrop() is called only after mm->mm_count is zero. So freeing the PASID > in __mmdrop() guarantees the PASID is safely freed only after no device > is bound to the mm. > > Fixes: 701fac40384f ("iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit") > > Reported-by: Zhangfei Gao <zhangfei.gao@foxmail.com> > Suggested-by: Jean-Philippe Brucker <jean-philippe@linaro.org> > Suggested-by: Jacob Pan <jacob.jun.pan@linux.intel.com> > Signed-off-by: Fenghua Yu <fenghua.yu@intel.com> Thanks for the fix. Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> > --- > kernel/fork.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/fork.c b/kernel/fork.c > index 9796897560ab..35a3beff140b 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -792,6 +792,7 @@ void __mmdrop(struct mm_struct *mm) > mmu_notifier_subscriptions_destroy(mm); > check_mm(mm); > put_user_ns(mm->user_ns); > + mm_pasid_drop(mm); > free_mm(mm); > } > EXPORT_SYMBOL_GPL(__mmdrop); > @@ -1190,7 +1191,6 @@ static inline void __mmput(struct mm_struct *mm) > } > if (mm->binfmt) > module_put(mm->binfmt->module); > - mm_pasid_drop(mm); > mmdrop(mm); > } >
WARNING: multiple messages have this Message-ID (diff)
From: Zhangfei Gao <zhangfei.gao@linaro.org> To: Fenghua Yu <fenghua.yu@intel.com>, Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Ravi V Shankar <ravi.v.shankar@intel.com>, Ashok Raj <ashok.raj@intel.com>, Peter Zijlstra <peterz@infradead.org>, will@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>, x86 <x86@kernel.org>, linux-kernel <linux-kernel@vger.kernel.org>, Dave Hansen <dave.hansen@intel.com>, iommu <iommu@lists.linux-foundation.org>, Tony Luck <tony.luck@intel.com>, Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>, Josh Poimboeuf <jpoimboe@redhat.com>, Thomas Gleixner <tglx@linutronix.de>, robin.murphy@arm.com, Ingo Molnar <mingo@redhat.com> Subject: Re: [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit Date: Tue, 26 Apr 2022 13:04:45 +0800 [thread overview] Message-ID: <51514a02-0de9-2f9e-ec0e-c86e147fa74c@linaro.org> (raw) In-Reply-To: <YmdzFFx7fN586jcf@fyu1.sc.intel.com> On 2022/4/26 下午12:20, Fenghua Yu wrote: > Hi, Jean and Zhangfei, > > On Mon, Apr 25, 2022 at 05:13:02PM +0100, Jean-Philippe Brucker wrote: >> Could we move mm_pasid_drop() to __mmdrop() instead of __mmput()? For Arm >> we do need to hold the mm_count until unbind(), and mmgrab()/mmdrop() is >> also part of Lu's rework [1]. > Is this a right fix for the issue? Could you please test it on ARM? > I don't have an ARM machine. > > Thanks. > > -Fenghua > > From 84aa68f6174439d863c40cdc2db0e1b89d620dd0 Mon Sep 17 00:00:00 2001 > From: Fenghua Yu <fenghua.yu@intel.com> > Date: Fri, 15 Apr 2022 00:51:33 -0700 > Subject: [PATCH] iommu/sva: Fix PASID use-after-free issue > > A PASID might be still used on ARM after it is freed in __mmput(). > > process: > open()->sva_bind()->ioasid_alloc() = N; // Get PASID N for the mm > exit(); > exit_mm()->__mmput()->mm_pasid_drop()->mm->pasid = -1; // PASID -1 > exit_files()->release(dev)->sva_unbind()->use mm->pasid; // Failure > > To avoid the use-after-free issue, free the PASID after no device uses it, > i.e. after all devices are unbound from the mm. > > sva_bind()/sva_unbind() call mmgrab()/mmdrop() to track mm->mm_count. > __mmdrop() is called only after mm->mm_count is zero. So freeing the PASID > in __mmdrop() guarantees the PASID is safely freed only after no device > is bound to the mm. > > Fixes: 701fac40384f ("iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit") > > Reported-by: Zhangfei Gao <zhangfei.gao@foxmail.com> > Suggested-by: Jean-Philippe Brucker <jean-philippe@linaro.org> > Suggested-by: Jacob Pan <jacob.jun.pan@linux.intel.com> > Signed-off-by: Fenghua Yu <fenghua.yu@intel.com> Thanks for the fix. Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> > --- > kernel/fork.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/fork.c b/kernel/fork.c > index 9796897560ab..35a3beff140b 100644 > --- a/kernel/fork.c > +++ b/kernel/fork.c > @@ -792,6 +792,7 @@ void __mmdrop(struct mm_struct *mm) > mmu_notifier_subscriptions_destroy(mm); > check_mm(mm); > put_user_ns(mm->user_ns); > + mm_pasid_drop(mm); > free_mm(mm); > } > EXPORT_SYMBOL_GPL(__mmdrop); > @@ -1190,7 +1191,6 @@ static inline void __mmput(struct mm_struct *mm) > } > if (mm->binfmt) > module_put(mm->binfmt->module); > - mm_pasid_drop(mm); > mmdrop(mm); > } > _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2022-04-26 5:05 UTC|newest] Thread overview: 214+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-02-07 23:02 [PATCH v4 00/11] Re-enable ENQCMD and PASID MSR Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 01/11] iommu/sva: Rename CONFIG_IOMMU_SVA_LIB to CONFIG_IOMMU_SVA Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-08 2:39 ` Lu Baolu 2022-02-08 2:39 ` Lu Baolu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 02/11] mm: Change CONFIG option for mm->pasid field Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-08 2:40 ` Lu Baolu 2022-02-08 2:40 ` Lu Baolu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 03/11] iommu/ioasid: Introduce a helper to check for valid PASIDs Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-08 2:40 ` Lu Baolu 2022-02-08 2:40 ` Lu Baolu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 04/11] kernel/fork: Initialize mm's PASID Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-14 17:23 ` Thomas Gleixner 2022-02-14 17:23 ` Thomas Gleixner 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 05/11] iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-08 2:41 ` Lu Baolu 2022-02-08 2:41 ` Lu Baolu 2022-02-08 15:01 ` Fenghua Yu 2022-02-08 15:01 ` Fenghua Yu 2022-02-10 3:16 ` Jacob Pan 2022-02-10 3:16 ` Jacob Pan 2022-02-10 16:27 ` Fenghua Yu 2022-02-10 16:27 ` Fenghua Yu 2022-02-10 17:24 ` Luck, Tony 2022-02-10 17:24 ` Luck, Tony 2022-02-10 18:31 ` Fenghua Yu 2022-02-10 18:31 ` Fenghua Yu 2022-02-10 23:52 ` Fenghua Yu 2022-02-10 23:52 ` Fenghua Yu 2022-02-10 18:49 ` Jacob Pan 2022-02-10 18:49 ` Jacob Pan 2022-02-10 23:15 ` Fenghua Yu 2022-02-10 23:15 ` Fenghua Yu 2022-02-11 22:00 ` Dave Hansen 2022-02-11 22:00 ` Dave Hansen 2022-02-14 17:24 ` Thomas Gleixner 2022-02-14 17:24 ` Thomas Gleixner 2022-02-15 9:55 ` Joerg Roedel 2022-02-15 9:55 ` Joerg Roedel 2022-04-11 14:00 ` Zhangfei Gao 2022-04-11 14:10 ` Dave Hansen 2022-04-11 14:10 ` Dave Hansen 2022-04-11 14:20 ` zhangfei.gao 2022-04-11 14:20 ` zhangfei.gao 2022-04-11 14:36 ` Dave Hansen 2022-04-11 14:36 ` Dave Hansen 2022-04-11 14:44 ` zhangfei.gao 2022-04-11 14:44 ` zhangfei.gao 2022-04-11 14:52 ` Dave Hansen 2022-04-11 14:52 ` Dave Hansen 2022-04-11 15:13 ` zhangfei.gao 2022-04-11 15:13 ` zhangfei.gao 2022-04-12 7:04 ` zhangfei.gao 2022-04-12 7:04 ` zhangfei.gao 2022-04-12 13:41 ` Fenghua Yu 2022-04-12 13:41 ` Fenghua Yu 2022-04-12 14:39 ` Dave Hansen 2022-04-12 14:39 ` Dave Hansen 2022-04-15 9:59 ` Fenghua Yu 2022-04-15 9:59 ` Fenghua Yu 2022-04-12 15:35 ` zhangfei.gao 2022-04-12 15:35 ` zhangfei.gao 2022-04-14 10:08 ` zhangfei.gao 2022-04-14 10:08 ` zhangfei.gao 2022-04-15 9:51 ` Fenghua Yu 2022-04-15 9:51 ` Fenghua Yu 2022-04-15 10:14 ` zhangfei.gao 2022-04-15 10:14 ` zhangfei.gao 2022-04-15 10:14 ` zhangfei.gao 2022-04-15 10:50 ` Fenghua Yu 2022-04-15 10:50 ` Fenghua Yu 2022-04-15 11:52 ` zhangfei.gao 2022-04-15 11:52 ` zhangfei.gao 2022-04-15 12:37 ` Fenghua Yu 2022-04-15 12:37 ` Fenghua Yu 2022-04-16 1:30 ` zhangfei.gao 2022-04-16 1:30 ` zhangfei.gao 2022-04-15 19:07 ` Fenghua Yu 2022-04-15 19:07 ` Fenghua Yu 2022-04-15 21:00 ` Jacob Pan 2022-04-15 21:00 ` Jacob Pan 2022-04-16 1:43 ` zhangfei.gao 2022-04-16 1:43 ` zhangfei.gao 2022-04-18 18:14 ` Jacob Pan 2022-04-18 18:14 ` Jacob Pan 2022-04-19 1:02 ` zhangfei.gao 2022-04-19 1:02 ` zhangfei.gao 2022-04-18 6:34 ` Tian, Kevin 2022-04-18 6:34 ` Tian, Kevin 2022-04-18 18:11 ` Jacob Pan 2022-04-18 18:11 ` Jacob Pan 2022-04-20 16:45 ` Jean-Philippe Brucker 2022-04-20 16:45 ` Jean-Philippe Brucker 2022-04-21 6:47 ` zhangfei.gao 2022-04-21 6:47 ` zhangfei.gao 2022-04-22 9:03 ` zhangfei.gao 2022-04-22 9:03 ` zhangfei.gao 2022-04-22 10:11 ` Jean-Philippe Brucker 2022-04-22 10:11 ` Jean-Philippe Brucker 2022-04-22 13:15 ` zhangfei.gao 2022-04-22 13:15 ` zhangfei.gao 2022-04-22 15:50 ` Jean-Philippe Brucker 2022-04-22 15:50 ` Jean-Philippe Brucker 2022-04-23 11:13 ` zhangfei.gao 2022-04-23 11:13 ` zhangfei.gao 2022-04-24 2:58 ` Zhangfei Gao 2022-04-24 2:58 ` Zhangfei Gao 2022-04-24 9:52 ` Zhangfei Gao 2022-04-24 9:52 ` Zhangfei Gao 2022-04-25 13:53 ` Jean-Philippe Brucker 2022-04-25 13:53 ` Jean-Philippe Brucker 2022-04-25 14:18 ` Dave Hansen 2022-04-25 14:18 ` Dave Hansen 2022-04-25 14:26 ` Jean-Philippe Brucker 2022-04-25 14:26 ` Jean-Philippe Brucker 2022-04-25 15:34 ` Jacob Pan 2022-04-25 15:34 ` Jacob Pan 2022-04-25 16:13 ` Jean-Philippe Brucker 2022-04-25 16:13 ` Jean-Philippe Brucker 2022-04-25 22:32 ` Jacob Pan 2022-04-25 22:32 ` Jacob Pan 2022-04-26 4:20 ` Fenghua Yu 2022-04-26 4:20 ` Fenghua Yu 2022-04-26 5:04 ` Zhangfei Gao [this message] 2022-04-26 5:04 ` Zhangfei Gao 2022-04-28 0:54 ` Fenghua Yu 2022-04-28 0:54 ` Fenghua Yu 2022-04-28 8:43 ` Jean-Philippe Brucker 2022-04-28 8:43 ` Jean-Philippe Brucker 2022-04-28 15:09 ` Dave Hansen 2022-04-28 15:09 ` Dave Hansen 2022-04-28 15:28 ` Fenghua Yu 2022-04-28 15:28 ` Fenghua Yu 2022-04-28 15:42 ` Dave Hansen 2022-04-28 15:42 ` Dave Hansen 2022-04-28 16:01 ` Jean-Philippe Brucker 2022-04-28 16:01 ` Jean-Philippe Brucker 2022-04-28 16:35 ` Dave Hansen 2022-04-28 16:35 ` Dave Hansen 2022-04-26 4:28 ` Zhangfei Gao 2022-04-26 4:28 ` Zhangfei Gao 2022-04-26 4:36 ` Fenghua Yu 2022-04-26 4:36 ` Fenghua Yu 2022-04-26 5:19 ` Zhangfei Gao 2022-04-26 5:19 ` Zhangfei Gao 2022-04-25 15:55 ` Dave Hansen 2022-04-25 15:55 ` Dave Hansen 2022-04-25 16:40 ` Jean-Philippe Brucker 2022-04-25 16:40 ` Jean-Philippe Brucker 2022-04-26 15:27 ` Dave Hansen 2022-04-26 15:27 ` Dave Hansen 2022-04-26 16:48 ` Jean-Philippe Brucker 2022-04-26 16:48 ` Jean-Philippe Brucker 2022-04-26 23:31 ` Dave Hansen 2022-04-26 23:31 ` Dave Hansen 2022-04-28 8:39 ` Jean-Philippe Brucker 2022-04-28 8:39 ` Jean-Philippe Brucker 2022-04-29 7:53 ` Baolu Lu 2022-04-29 7:53 ` Baolu Lu 2022-04-29 13:51 ` Fenghua Yu 2022-04-29 13:51 ` Fenghua Yu 2022-04-29 14:34 ` Jean-Philippe Brucker 2022-04-29 14:34 ` Jean-Philippe Brucker 2022-04-29 22:19 ` Fenghua Yu 2022-04-29 22:19 ` Fenghua Yu 2022-04-30 7:33 ` Baolu Lu 2022-04-30 7:33 ` Baolu Lu 2022-05-03 7:49 ` Jean-Philippe Brucker 2022-05-03 7:49 ` Jean-Philippe Brucker 2022-05-06 5:36 ` Baolu Lu 2022-05-06 5:36 ` Baolu Lu 2022-04-12 14:36 ` Dave Hansen 2022-04-12 14:36 ` Dave Hansen 2022-04-12 15:10 ` Jean-Philippe Brucker 2022-04-12 15:10 ` Jean-Philippe Brucker 2022-04-12 15:35 ` Dave Hansen 2022-04-12 15:35 ` Dave Hansen 2022-04-13 11:14 ` Lu Baolu 2022-04-13 11:14 ` Lu Baolu 2022-04-25 2:57 ` zhangfei.gao 2022-04-25 2:57 ` zhangfei.gao 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 06/11] x86/fpu: Clear PASID when copying fpstate Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 07/11] sched: Define and initialize a flag to identify valid PASID in the task Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Peter Zijlstra 2022-02-07 23:02 ` [PATCH v4 08/11] x86/traps: Demand-populate PASID MSR via #GP Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 09/11] x86/cpufeatures: Re-enable ENQCMD Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 10/11] tools/objtool: Check for use of the ENQCMD instruction in the kernel Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-15 10:54 ` [tip: x86/pasid] " tip-bot2 for Fenghua Yu 2022-03-09 7:55 ` [tip: x86/core] " tip-bot2 for Fenghua Yu 2022-03-15 10:44 ` tip-bot2 for Fenghua Yu 2022-02-07 23:02 ` [PATCH v4 11/11] docs: x86: Change documentation for SVA (Shared Virtual Addressing) Fenghua Yu 2022-02-07 23:02 ` Fenghua Yu 2022-02-14 17:25 ` Thomas Gleixner 2022-02-14 17:25 ` Thomas Gleixner 2022-02-15 10:54 ` [tip: x86/pasid] Documentation/x86: Update " tip-bot2 for Fenghua Yu 2022-02-11 20:04 ` [PATCH v4 00/11] Re-enable ENQCMD and PASID MSR Fenghua Yu 2022-02-11 20:04 ` Fenghua Yu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=51514a02-0de9-2f9e-ec0e-c86e147fa74c@linaro.org \ --to=zhangfei.gao@linaro.org \ --cc=ashok.raj@intel.com \ --cc=bp@alien8.de \ --cc=dave.hansen@intel.com \ --cc=dave.hansen@linux.intel.com \ --cc=fenghua.yu@intel.com \ --cc=iommu@lists.linux-foundation.org \ --cc=jacob.jun.pan@linux.intel.com \ --cc=jean-philippe@linaro.org \ --cc=jpoimboe@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mingo@redhat.com \ --cc=peterz@infradead.org \ --cc=ravi.v.shankar@intel.com \ --cc=robin.murphy@arm.com \ --cc=tglx@linutronix.de \ --cc=tony.luck@intel.com \ --cc=will@kernel.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.