linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Nate Watterson <nwatters@codeaurora.org>,
	Joerg Roedel <jroedel@suse.de>,
	Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 3.18 31/68] iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range
Date: Mon, 19 Mar 2018 19:06:09 +0100	[thread overview]
Message-ID: <20180319171832.134049442@linuxfoundation.org> (raw)
In-Reply-To: <20180319171827.899658615@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nate Watterson <nwatters@codeaurora.org>


[ Upstream commit 5016bdb796b3726eec043ca0ce3be981f712c756 ]

Normally, calling alloc_iova() using an iova_domain with insufficient
pfns remaining between start_pfn and dma_limit will fail and return a
NULL pointer. Unexpectedly, if such a "full" iova_domain contains an
iova with pfn_lo == 0, the alloc_iova() call will instead succeed and
return an iova containing invalid pfns.

This is caused by an underflow bug in __alloc_and_insert_iova_range()
that occurs after walking the "full" iova tree when the search ends
at the iova with pfn_lo == 0 and limit_pfn is then adjusted to be just
below that (-1). This (now huge) limit_pfn gives the impression that a
vast amount of space is available between it and start_pfn and thus
a new iova is allocated with the invalid pfn_hi value, 0xFFF.... .

To rememdy this, a check is introduced to ensure that adjustments to
limit_pfn will not underflow.

This issue has been observed in the wild, and is easily reproduced with
the following sample code.

	struct iova_domain *iovad = kzalloc(sizeof(*iovad), GFP_KERNEL);
	struct iova *rsvd_iova, *good_iova, *bad_iova;
	unsigned long limit_pfn = 3;
	unsigned long start_pfn = 1;
	unsigned long va_size = 2;

	init_iova_domain(iovad, SZ_4K, start_pfn, limit_pfn);
	rsvd_iova = reserve_iova(iovad, 0, 0);
	good_iova = alloc_iova(iovad, va_size, limit_pfn, true);
	bad_iova = alloc_iova(iovad, va_size, limit_pfn, true);

Prior to the patch, this yielded:
	*rsvd_iova == {0, 0}   /* Expected */
	*good_iova == {2, 3}   /* Expected */
	*bad_iova  == {-2, -1} /* Oh no... */

After the patch, bad_iova is NULL as expected since inadequate
space remains between limit_pfn and start_pfn after allocating
good_iova.

Signed-off-by: Nate Watterson <nwatters@codeaurora.org>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iommu/iova.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -118,7 +118,7 @@ static int __alloc_and_insert_iova_range
 				break;	/* found a free slot */
 		}
 adjust_limit_pfn:
-		limit_pfn = curr_iova->pfn_lo - 1;
+		limit_pfn = curr_iova->pfn_lo ? (curr_iova->pfn_lo - 1) : 0;
 move_left:
 		prev = curr;
 		curr = rb_prev(curr);

  parent reply	other threads:[~2018-03-19 18:06 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-19 18:05 [PATCH 3.18 00/68] 3.18.101-stable review Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 01/68] Input: tsc2007 - check for presence and power down tsc2007 during probe Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 02/68] HID: reject input outside logical range only if null state is set Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 03/68] net: mvpp2: set dma mask and coherent dma mask on PPv2.2 Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 04/68] PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 05/68] selinux: check for address length in selinux_socket_bind() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 06/68] perf tools: Make perf_event__synthesize_mmap_events() scale Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 07/68] drivers: net: xgene: Fix hardware checksum setting Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 08/68] drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off) Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 09/68] ath10k: disallow DFS simulation if DFS channel is not enabled Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 10/68] HID: clamp input to logical range if no null state Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 11/68] ARM: dts: Adjust moxart IRQ controller and flags Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 12/68] batman-adv: handle race condition for claims between gateways Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 13/68] of: fix of_device_get_modalias returned length when truncating buffers Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 14/68] scsi: ipr: Fix missed EH wakeup Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 15/68] [media] media: i2c/soc_camera: fix ov6650 sensor getting wrong clock Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 16/68] timers, sched_clock: Update timeout for clock wrap Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 17/68] sched: act_csum: dont mangle TCP and UDP GSO packets Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 18/68] spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 19/68] tcp: sysctl: Fix a race to avoid unexpected 0 window from space Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 20/68] mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() Greg Kroah-Hartman
2018-03-19 18:05 ` [PATCH 3.18 21/68] blk-throttle: make sure expire time isnt too big Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 22/68] ARM: DRA7: hwmod_data: Prevent wait_target_disable error for usb_otg_ss Greg Kroah-Hartman
2018-03-21 10:37   ` Roger Quadros
2018-03-21 11:02     ` Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 23/68] braille-console: Fix value returned by _braille_console_setup Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 24/68] ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 25/68] ARM: dts: r8a7791: " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 26/68] powerpc: Avoid taking a data miss on every userspace instruction miss Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 27/68] net/faraday: Add missing include of of.h Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 28/68] reiserfs: Make cancel_old_flush() reliable Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 29/68] fm10k: correctly check if interface is removed Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 30/68] apparmor: Make path_max parameter readonly Greg Kroah-Hartman
2018-03-19 18:06 ` Greg Kroah-Hartman [this message]
2018-03-19 18:06 ` [PATCH 3.18 32/68] video: ARM CLCD: fix dma allocation size Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 33/68] drm/radeon: Fail fb creation from imported dma-bufs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 34/68] MIPS: BPF: Quit clobbering callee saved registers in JIT code Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 35/68] regulator: isl9305: fix array size Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 36/68] usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 37/68] perf inject: Copy events when reordering events in pipe mode Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 38/68] perf session: Dont rely on evlist " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 39/68] scsi: sg: check for valid direction before starting the request Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 40/68] scsi: sg: close race condition in sg_remove_sfp_usercontext() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 41/68] kprobes/x86: Fix kprobe-booster not to boost far call instructions Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 42/68] kprobes/x86: Set kprobes pages read-only Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 43/68] wil6210: fix memory access violation in wil_memcpy_from/toio_32 Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 44/68] HID: elo: clear BTN_LEFT mapping Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 45/68] sched: Stop resched_cpu() from sending IPIs to offline CPUs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 46/68] net: xfrm: allow clearing socket xfrm policies Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 47/68] mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 48/68] ARM: dts: am335x-pepper: Fix the audio CODECs reset pin Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 49/68] ARM: dts: omap3-n900: " Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 50/68] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0 Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 51/68] tools/usbip: fixes build with musl libc toolchain Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 52/68] spi: sun6i: disable/unprepare clocks on remove Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 53/68] scsi: devinfo: apply to HP XP the same flags as Hitachi VSP Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 54/68] media: cpia2: Fix a couple off by one bugs Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 55/68] veth: set peer GSO values Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 56/68] mac80211: remove BUG() when interface type is invalid Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 57/68] ASoC: nuc900: Fix a loop timeout test Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 58/68] rcutorture/configinit: Fix build directory error message Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 59/68] ima: relax requiring a file signature for new files with zero length Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 60/68] ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 61/68] ALSA: seq: Fix possible UAF in snd_seq_check_queue() Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 62/68] ALSA: seq: Clear client entry before deleting else at closing Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 63/68] lock_parent() needs to recheck if dentry got __dentry_killed under it Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 64/68] fs/aio: Add explicit RCU grace period when freeing kioctx Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 65/68] fs/aio: Use RCU accessors for kioctx_table->table[] Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 66/68] scsi: sg: fix SG_DXFER_FROM_DEV transfers Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 67/68] scsi: sg: fix static checker warning in sg_is_valid_dxfer Greg Kroah-Hartman
2018-03-19 18:06 ` [PATCH 3.18 68/68] scsi: sg: only check for dxfer_len greater than 256M Greg Kroah-Hartman
2018-03-19 22:00 ` [PATCH 3.18 00/68] 3.18.101-stable review kernelci.org bot
2018-03-20 14:47 ` Guenter Roeck
2018-03-21 11:03   ` Greg Kroah-Hartman
2018-03-20 17:34 ` Shuah Khan
2018-03-20 17:50 ` Harsh Shandilya
2018-03-21 10:05   ` Greg Kroah-Hartman
2018-03-21 11:04 ` Greg Kroah-Hartman
2018-03-21 17:47   ` Guenter Roeck
2018-03-22  8:21     ` Greg Kroah-Hartman
2018-03-22 16:39   ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180319171832.134049442@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=alexander.levin@microsoft.com \
    --cc=jroedel@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nwatters@codeaurora.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).