[PATCH] intel-iommu: Fix use after release during device attach

[PATCH] intel-iommu: Fix use after release during device attach

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Obtail the new pgd pointer before releasing the page containing this
value.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Who is taking care of this? The kvm tree?

 drivers/pci/intel-iommu.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
index 4789f8e..35463dd 100644
--- a/drivers/pci/intel-iommu.c
+++ b/drivers/pci/intel-iommu.c
@@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct iommu_domain *domain,
 
 		pte = dmar_domain->pgd;
 		if (dma_pte_present(pte)) {
-			free_pgtable_page(dmar_domain->pgd);
 			dmar_domain->pgd = (struct dma_pte *)
 				phys_to_virt(dma_pte_addr(pte));
+			free_pgtable_page(pte);
 		}
 		dmar_domain->agaw--;
 	}
-- 
1.7.1

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Sheng Yang]

On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
> From: Jan Kiszka <jan.kiszka@siemens.com>
> 
> Obtail the new pgd pointer before releasing the page containing this
> value.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> ---
> 
> Who is taking care of this? The kvm tree?
> 
>  drivers/pci/intel-iommu.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> index 4789f8e..35463dd 100644
> --- a/drivers/pci/intel-iommu.c
> +++ b/drivers/pci/intel-iommu.c
> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
> iommu_domain *domain,
> 
>  		pte = dmar_domain->pgd;
>  		if (dma_pte_present(pte)) {
> -			free_pgtable_page(dmar_domain->pgd);
>  			dmar_domain->pgd = (struct dma_pte *)
>  				phys_to_virt(dma_pte_addr(pte));
> +			free_pgtable_page(pte);
>  		}
>  		dmar_domain->agaw--;
>  	}

Reviewed-by: Sheng Yang <sheng@linux.intel.com>

CC iommu mailing list and David.

OK, Jan, I got your meaning now. And it's not the exactly swap. :)

I think the old code is safe, seems it's broken(exposed) by: 

commit 1a8bd481bfba30515b54368d90a915db3faf302f
Author: David Woodhouse <David.Woodhouse@intel.com>
Date:   Tue Aug 10 01:38:53 2010 +0100

    intel-iommu: Fix 32-bit build warning with __cmpxchg()
    
    drivers/pci/intel-iommu.c: In function 'dma_pte_addr':
    drivers/pci/intel-iommu.c:239: warning: passing argument 1 of '__cmpxchg64' 
from incompatible pointer typ
    
    It seems that __cmpxchg64() now cares about the type of its pointer argument,
    so give it a (uint64_t *) instead of a pointer to a structure which contains
    only that.
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
index c9171be..603cdc0 100644
--- a/drivers/pci/intel-iommu.c
+++ b/drivers/pci/intel-iommu.c
@@ -236,7 +236,7 @@ static inline u64 dma_pte_addr(struct dma_pte *pte)
        return pte->val & VTD_PAGE_MASK;
 #else
        /* Must have a full atomic 64-bit read */
-       return  __cmpxchg64(pte, 0ULL, 0ULL) & VTD_PAGE_MASK;
+       return  __cmpxchg64(&pte->val, 0ULL, 0ULL) & VTD_PAGE_MASK;
 #endif
 }

Seems here is the only affected code?

--
regards
Yang, Sheng

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 2560 bytes --]

Am 02.11.2010 08:31, Sheng Yang wrote:
> On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Obtail the new pgd pointer before releasing the page containing this
>> value.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>
>> Who is taking care of this? The kvm tree?
>>
>>  drivers/pci/intel-iommu.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
>> index 4789f8e..35463dd 100644
>> --- a/drivers/pci/intel-iommu.c
>> +++ b/drivers/pci/intel-iommu.c
>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>> iommu_domain *domain,
>>
>>  		pte = dmar_domain->pgd;
>>  		if (dma_pte_present(pte)) {
>> -			free_pgtable_page(dmar_domain->pgd);
>>  			dmar_domain->pgd = (struct dma_pte *)
>>  				phys_to_virt(dma_pte_addr(pte));
>> +			free_pgtable_page(pte);
>>  		}
>>  		dmar_domain->agaw--;
>>  	}
> 
> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> 
> CC iommu mailing list and David.
> 
> OK, Jan, I got your meaning now. And it's not the exactly swap. :)
> 
> I think the old code is safe, seems it's broken(exposed) by: 
> 
> commit 1a8bd481bfba30515b54368d90a915db3faf302f
> Author: David Woodhouse <David.Woodhouse@intel.com>
> Date:   Tue Aug 10 01:38:53 2010 +0100
> 
>     intel-iommu: Fix 32-bit build warning with __cmpxchg()
>     
>     drivers/pci/intel-iommu.c: In function 'dma_pte_addr':
>     drivers/pci/intel-iommu.c:239: warning: passing argument 1 of '__cmpxchg64' 
> from incompatible pointer typ
>     
>     It seems that __cmpxchg64() now cares about the type of its pointer argument,
>     so give it a (uint64_t *) instead of a pointer to a structure which contains
>     only that.
>     
>     Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> 
> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> index c9171be..603cdc0 100644
> --- a/drivers/pci/intel-iommu.c
> +++ b/drivers/pci/intel-iommu.c
> @@ -236,7 +236,7 @@ static inline u64 dma_pte_addr(struct dma_pte *pte)
>         return pte->val & VTD_PAGE_MASK;
>  #else
>         /* Must have a full atomic 64-bit read */
> -       return  __cmpxchg64(pte, 0ULL, 0ULL) & VTD_PAGE_MASK;
> +       return  __cmpxchg64(&pte->val, 0ULL, 0ULL) & VTD_PAGE_MASK;
>  #endif
>  }
> 
> Seems here is the only affected code?

CONFIG_64BIT is on here, so this change did not make a difference for me.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Sheng Yang]

On Tuesday 02 November 2010 15:46:11 Jan Kiszka wrote:
> Am 02.11.2010 08:31, Sheng Yang wrote:
> > On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
> >> From: Jan Kiszka <jan.kiszka@siemens.com>
> >> 
> >> Obtail the new pgd pointer before releasing the page containing this
> >> value.
> >> 
> >> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> >> ---
> >> 
> >> Who is taking care of this? The kvm tree?
> >> 
> >>  drivers/pci/intel-iommu.c |    2 +-
> >>  1 files changed, 1 insertions(+), 1 deletions(-)
> >> 
> >> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> >> index 4789f8e..35463dd 100644
> >> --- a/drivers/pci/intel-iommu.c
> >> +++ b/drivers/pci/intel-iommu.c
> >> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
> >> iommu_domain *domain,
> >> 
> >>  		pte = dmar_domain->pgd;
> >>  		if (dma_pte_present(pte)) {
> >> 
> >> -			free_pgtable_page(dmar_domain->pgd);
> >> 
> >>  			dmar_domain->pgd = (struct dma_pte *)
> >>  			
> >>  				phys_to_virt(dma_pte_addr(pte));
> >> 
> >> +			free_pgtable_page(pte);
> >> 
> >>  		}
> >>  		dmar_domain->agaw--;
> >>  	
> >>  	}
> > 
> > Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> > 
> > CC iommu mailing list and David.
> > 
> > OK, Jan, I got your meaning now. And it's not the exactly swap. :)
> > 
> > I think the old code is safe, seems it's broken(exposed) by:
> > 
> > commit 1a8bd481bfba30515b54368d90a915db3faf302f
> > Author: David Woodhouse <David.Woodhouse@intel.com>
> > Date:   Tue Aug 10 01:38:53 2010 +0100
> > 
> >     intel-iommu: Fix 32-bit build warning with __cmpxchg()
> >     
> >     drivers/pci/intel-iommu.c: In function 'dma_pte_addr':
> >     drivers/pci/intel-iommu.c:239: warning: passing argument 1 of
> >     '__cmpxchg64'
> > 
> > from incompatible pointer typ
> > 
> >     It seems that __cmpxchg64() now cares about the type of its pointer
> >     argument, so give it a (uint64_t *) instead of a pointer to a
> >     structure which contains only that.
> >     
> >     Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> > 
> > diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> > index c9171be..603cdc0 100644
> > --- a/drivers/pci/intel-iommu.c
> > +++ b/drivers/pci/intel-iommu.c
> > @@ -236,7 +236,7 @@ static inline u64 dma_pte_addr(struct dma_pte *pte)
> > 
> >         return pte->val & VTD_PAGE_MASK;
> >  
> >  #else
> >  
> >         /* Must have a full atomic 64-bit read */
> > 
> > -       return  __cmpxchg64(pte, 0ULL, 0ULL) & VTD_PAGE_MASK;
> > +       return  __cmpxchg64(&pte->val, 0ULL, 0ULL) & VTD_PAGE_MASK;
> > 
> >  #endif
> >  }
> > 
> > Seems here is the only affected code?
> 
> CONFIG_64BIT is on here, so this change did not make a difference for me.

Oh...

Then it would due to most VT-d machine wouldn't run into while (iommu->agaw < 
dmar_domain->agaw). 

We have routing test for VT-d devices assignment, but seems we don't use this kind 
of VT-d machine for testing.

--
regards
Yang, Sheng


> 
> Jan

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Sheng Yang]

On Tuesday 02 November 2010 15:31:22 Sheng Yang wrote:
> On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
> > From: Jan Kiszka <jan.kiszka@siemens.com>
> > 
> > Obtail the new pgd pointer before releasing the page containing this
> > value.
> > 
> > Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
> > ---
> > 
> > Who is taking care of this? The kvm tree?
> > 
> >  drivers/pci/intel-iommu.c |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> > 
> > diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> > index 4789f8e..35463dd 100644
> > --- a/drivers/pci/intel-iommu.c
> > +++ b/drivers/pci/intel-iommu.c
> > @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
> > iommu_domain *domain,
> > 
> >  		pte = dmar_domain->pgd;
> >  		if (dma_pte_present(pte)) {
> > 
> > -			free_pgtable_page(dmar_domain->pgd);
> > 
> >  			dmar_domain->pgd = (struct dma_pte *)
> >  			
> >  				phys_to_virt(dma_pte_addr(pte));
> > 
> > +			free_pgtable_page(pte);
> > 
> >  		}
> >  		dmar_domain->agaw--;
> >  	
> >  	}
> 
> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> 
> CC iommu mailing list and David.
> 
> OK, Jan, I got your meaning now. And it's not the exactly swap. :)
> 
> I think the old code is safe, seems it's broken(exposed) by:
> 
> commit 1a8bd481bfba30515b54368d90a915db3faf302f
> Author: David Woodhouse <David.Woodhouse@intel.com>
> Date:   Tue Aug 10 01:38:53 2010 +0100
> 
>     intel-iommu: Fix 32-bit build warning with __cmpxchg()

In fact this one shouldn't affect the result. Wrong guess...

--
regards
Yang, Sheng

> 
>     drivers/pci/intel-iommu.c: In function 'dma_pte_addr':
>     drivers/pci/intel-iommu.c:239: warning: passing argument 1 of
> '__cmpxchg64' from incompatible pointer typ
> 
>     It seems that __cmpxchg64() now cares about the type of its pointer
> argument, so give it a (uint64_t *) instead of a pointer to a structure
> which contains only that.
> 
>     Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> 
> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> index c9171be..603cdc0 100644
> --- a/drivers/pci/intel-iommu.c
> +++ b/drivers/pci/intel-iommu.c
> @@ -236,7 +236,7 @@ static inline u64 dma_pte_addr(struct dma_pte *pte)
>         return pte->val & VTD_PAGE_MASK;
>  #else
>         /* Must have a full atomic 64-bit read */
> -       return  __cmpxchg64(pte, 0ULL, 0ULL) & VTD_PAGE_MASK;
> +       return  __cmpxchg64(&pte->val, 0ULL, 0ULL) & VTD_PAGE_MASK;
>  #endif
>  }
> 
> Seems here is the only affected code?
> 
> --
> regards
> Yang, Sheng
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1183 bytes --]

Am 02.11.2010 08:31, Sheng Yang wrote:
> On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Obtail the new pgd pointer before releasing the page containing this
>> value.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>
>> Who is taking care of this? The kvm tree?
>>
>>  drivers/pci/intel-iommu.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
>> index 4789f8e..35463dd 100644
>> --- a/drivers/pci/intel-iommu.c
>> +++ b/drivers/pci/intel-iommu.c
>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>> iommu_domain *domain,
>>
>>  		pte = dmar_domain->pgd;
>>  		if (dma_pte_present(pte)) {
>> -			free_pgtable_page(dmar_domain->pgd);
>>  			dmar_domain->pgd = (struct dma_pte *)
>>  				phys_to_virt(dma_pte_addr(pte));
>> +			free_pgtable_page(pte);
>>  		}
>>  		dmar_domain->agaw--;
>>  	}
> 
> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> 
> CC iommu mailing list and David.

Ping...

I think this fix also qualifies for stable (.35 and .36).

Jan



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Jan Kiszka]

Am 14.11.2010 10:18, Jan Kiszka wrote:
> Am 02.11.2010 08:31, Sheng Yang wrote:
>> On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
>>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>>
>>> Obtail the new pgd pointer before releasing the page containing this
>>> value.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>>> ---
>>>
>>> Who is taking care of this? The kvm tree?
>>>
>>>  drivers/pci/intel-iommu.c |    2 +-
>>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
>>> index 4789f8e..35463dd 100644
>>> --- a/drivers/pci/intel-iommu.c
>>> +++ b/drivers/pci/intel-iommu.c
>>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>>> iommu_domain *domain,
>>>
>>>  		pte = dmar_domain->pgd;
>>>  		if (dma_pte_present(pte)) {
>>> -			free_pgtable_page(dmar_domain->pgd);
>>>  			dmar_domain->pgd = (struct dma_pte *)
>>>  				phys_to_virt(dma_pte_addr(pte));
>>> +			free_pgtable_page(pte);
>>>  		}
>>>  		dmar_domain->agaw--;
>>>  	}
>>
>> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
>>
>> CC iommu mailing list and David.
> 
> Ping...
> 
> I think this fix also qualifies for stable (.35 and .36).
> 

Still not merged?

Jan

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Chris Wright]

* Jan Kiszka (jan.kiszka@siemens.com) wrote:
> >>> --- a/drivers/pci/intel-iommu.c
> >>> +++ b/drivers/pci/intel-iommu.c
> >>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
> >>> iommu_domain *domain,
> >>>
> >>>  		pte = dmar_domain->pgd;
> >>>  		if (dma_pte_present(pte)) {
> >>> -			free_pgtable_page(dmar_domain->pgd);
> >>>  			dmar_domain->pgd = (struct dma_pte *)
> >>>  				phys_to_virt(dma_pte_addr(pte));

While here, might as well remove the unnecessary cast.

> >>> +			free_pgtable_page(pte);
> >>>  		}
> >>>  		dmar_domain->agaw--;
> >>>  	}
> >>
> >> Reviewed-by: Sheng Yang <sheng@linux.intel.com>

Acked-by: Chris Wright <chrisw@sous-sol.org>

> >> CC iommu mailing list and David.
> > 
> > Ping...
> > 
> > I think this fix also qualifies for stable (.35 and .36).
> > 
> 
> Still not merged?

David, do you plan to pick this one up?

thanks,
-chris

Re: [PATCH] intel-iommu: Fix use after release during device attach

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]

Am 10.12.2010 19:44, Chris Wright wrote:
> * Jan Kiszka (jan.kiszka@siemens.com) wrote:
>>>>> --- a/drivers/pci/intel-iommu.c
>>>>> +++ b/drivers/pci/intel-iommu.c
>>>>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>>>>> iommu_domain *domain,
>>>>>
>>>>>  		pte = dmar_domain->pgd;
>>>>>  		if (dma_pte_present(pte)) {
>>>>> -			free_pgtable_page(dmar_domain->pgd);
>>>>>  			dmar_domain->pgd = (struct dma_pte *)
>>>>>  				phys_to_virt(dma_pte_addr(pte));
> 
> While here, might as well remove the unnecessary cast.
> 
>>>>> +			free_pgtable_page(pte);
>>>>>  		}
>>>>>  		dmar_domain->agaw--;
>>>>>  	}
>>>>
>>>> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> 
> Acked-by: Chris Wright <chrisw@sous-sol.org>
> 
>>>> CC iommu mailing list and David.
>>>
>>> Ping...
>>>
>>> I think this fix also qualifies for stable (.35 and .36).
>>>
>>
>> Still not merged?
> 
> David, do you plan to pick this one up?
> 
> thanks,
> -chris

Hmm, still no reaction. Trying David's Intel address now...

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

[PATCH v2] intel-iommu: Fix use after release during device attach

[Jan Kiszka]

On 2011-01-04 11:42, Jan Kiszka wrote:
> Am 10.12.2010 19:44, Chris Wright wrote:
>> * Jan Kiszka (jan.kiszka@siemens.com) wrote:
>>>>>> --- a/drivers/pci/intel-iommu.c
>>>>>> +++ b/drivers/pci/intel-iommu.c
>>>>>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>>>>>> iommu_domain *domain,
>>>>>>
>>>>>>  		pte = dmar_domain->pgd;
>>>>>>  		if (dma_pte_present(pte)) {
>>>>>> -			free_pgtable_page(dmar_domain->pgd);
>>>>>>  			dmar_domain->pgd = (struct dma_pte *)
>>>>>>  				phys_to_virt(dma_pte_addr(pte));
>>
>> While here, might as well remove the unnecessary cast.
>>
>>>>>> +			free_pgtable_page(pte);
>>>>>>  		}
>>>>>>  		dmar_domain->agaw--;
>>>>>>  	}
>>>>>
>>>>> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
>>
>> Acked-by: Chris Wright <chrisw@sous-sol.org>
>>
>>>>> CC iommu mailing list and David.
>>>>
>>>> Ping...
>>>>
>>>> I think this fix also qualifies for stable (.35 and .36).
>>>>
>>>
>>> Still not merged?
>>
>> David, do you plan to pick this one up?
>>
>> thanks,
>> -chris
> 
> Hmm, still no reaction. Trying David's Intel address now...
> 
> Jan
> 

Walking through my old queues, I came across this one again.

Given the still lacking reaction from the official maintainer, I'm a
bit confused about the state of intel-iommu. Is it unmaintained? Should
this bug fix better be routed through the KVM tree as its only in-tree
user? Please enlighten me.

Note that the patch became stable material for 35..38 in the meantime,
and it should go into 39 before release as well.

Thanks,
Jan

-------8<--------

Obtain the new pgd pointer before releasing the page containing this
value. Remove unneeded cast at this chance as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 drivers/pci/intel-iommu.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

v1->v2: Clean up cast as suggested by Chris.

diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
index 505c1c7..b3e5c43 100644
--- a/drivers/pci/intel-iommu.c
+++ b/drivers/pci/intel-iommu.c
@@ -3607,9 +3607,8 @@ static int intel_iommu_attach_device(struct iommu_domain *domain,
 
 		pte = dmar_domain->pgd;
 		if (dma_pte_present(pte)) {
-			free_pgtable_page(dmar_domain->pgd);
-			dmar_domain->pgd = (struct dma_pte *)
-				phys_to_virt(dma_pte_addr(pte));
+			dmar_domain->pgd = phys_to_virt(dma_pte_addr(pte));
+			free_pgtable_page(pte);
 		}
 		dmar_domain->agaw--;
 	}
-- 
1.7.1

Re: [PATCH v2] intel-iommu: Fix use after release during device attach

[Chris Wright]

* Jan Kiszka (jan.kiszka@siemens.com) wrote:
> On 2011-01-04 11:42, Jan Kiszka wrote:
> > Am 10.12.2010 19:44, Chris Wright wrote:
> >> * Jan Kiszka (jan.kiszka@siemens.com) wrote:
> >>>>>> --- a/drivers/pci/intel-iommu.c
> >>>>>> +++ b/drivers/pci/intel-iommu.c
> >>>>>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
> >>>>>> iommu_domain *domain,
> >>>>>>
> >>>>>>  		pte = dmar_domain->pgd;
> >>>>>>  		if (dma_pte_present(pte)) {
> >>>>>> -			free_pgtable_page(dmar_domain->pgd);
> >>>>>>  			dmar_domain->pgd = (struct dma_pte *)
> >>>>>>  				phys_to_virt(dma_pte_addr(pte));
> >>
> >> While here, might as well remove the unnecessary cast.
> >>
> >>>>>> +			free_pgtable_page(pte);
> >>>>>>  		}
> >>>>>>  		dmar_domain->agaw--;
> >>>>>>  	}
> >>>>>
> >>>>> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> >>
> >> Acked-by: Chris Wright <chrisw@sous-sol.org>
> >>
> >>>>> CC iommu mailing list and David.
> >>>>
> >>>> Ping...
> >>>>
> >>>> I think this fix also qualifies for stable (.35 and .36).
> >>>>
> >>>
> >>> Still not merged?
> >>
> >> David, do you plan to pick this one up?
> >>
> >> thanks,
> >> -chris
> > 
> > Hmm, still no reaction. Trying David's Intel address now...
> > 
> > Jan
> > 
> 
> Walking through my old queues, I came across this one again.
> 
> Given the still lacking reaction from the official maintainer, I'm a
> bit confused about the state of intel-iommu. Is it unmaintained? Should
> this bug fix better be routed through the KVM tree as its only in-tree
> user? Please enlighten me.
> 
> Note that the patch became stable material for 35..38 in the meantime,
> and it should go into 39 before release as well.
> 
> Thanks,
> Jan
> 
> -------8<--------
> 
> Obtain the new pgd pointer before releasing the page containing this
> value. Remove unneeded cast at this chance as well.
> 
> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>

Acked-by: Chris Wright <chrisw@sous-sol.org>

> ---
>  drivers/pci/intel-iommu.c |    5 ++---
>  1 files changed, 2 insertions(+), 3 deletions(-)
> 
> v1->v2: Clean up cast as suggested by Chris.
> 
> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> index 505c1c7..b3e5c43 100644
> --- a/drivers/pci/intel-iommu.c
> +++ b/drivers/pci/intel-iommu.c
> @@ -3607,9 +3607,8 @@ static int intel_iommu_attach_device(struct iommu_domain *domain,
>  
>  		pte = dmar_domain->pgd;
>  		if (dma_pte_present(pte)) {
> -			free_pgtable_page(dmar_domain->pgd);
> -			dmar_domain->pgd = (struct dma_pte *)
> -				phys_to_virt(dma_pte_addr(pte));
> +			dmar_domain->pgd = phys_to_virt(dma_pte_addr(pte));
> +			free_pgtable_page(pte);
>  		}
>  		dmar_domain->agaw--;
>  	}

Re: [PATCH v2] intel-iommu: Fix use after release during device attach

[Alex Williamson]

On Thu, 2011-04-21 at 14:32 +0200, Jan Kiszka wrote:
> On 2011-01-04 11:42, Jan Kiszka wrote:
> > Am 10.12.2010 19:44, Chris Wright wrote:
> >> * Jan Kiszka (jan.kiszka@siemens.com) wrote:
> >>>>>> --- a/drivers/pci/intel-iommu.c
> >>>>>> +++ b/drivers/pci/intel-iommu.c
> >>>>>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
> >>>>>> iommu_domain *domain,
> >>>>>>
> >>>>>>  		pte = dmar_domain->pgd;
> >>>>>>  		if (dma_pte_present(pte)) {
> >>>>>> -			free_pgtable_page(dmar_domain->pgd);
> >>>>>>  			dmar_domain->pgd = (struct dma_pte *)
> >>>>>>  				phys_to_virt(dma_pte_addr(pte));
> >>
> >> While here, might as well remove the unnecessary cast.
> >>
> >>>>>> +			free_pgtable_page(pte);
> >>>>>>  		}
> >>>>>>  		dmar_domain->agaw--;
> >>>>>>  	}
> >>>>>
> >>>>> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> >>
> >> Acked-by: Chris Wright <chrisw@sous-sol.org>
> >>
> >>>>> CC iommu mailing list and David.
> >>>>
> >>>> Ping...
> >>>>
> >>>> I think this fix also qualifies for stable (.35 and .36).
> >>>>
> >>>
> >>> Still not merged?
> >>
> >> David, do you plan to pick this one up?
> >>
> >> thanks,
> >> -chris
> > 
> > Hmm, still no reaction. Trying David's Intel address now...
> > 
> > Jan
> > 
> 
> Walking through my old queues, I came across this one again.
> 
> Given the still lacking reaction from the official maintainer, I'm a
> bit confused about the state of intel-iommu. Is it unmaintained? Should
> this bug fix better be routed through the KVM tree as its only in-tree
> user? Please enlighten me.

I've been wondering the exact same thing.  My last patch took weeks of
prodding, finally went into the maintainer's tree without
acknowledgment, and there's hardly been any activity there to suggest a
pull request for 2.6.39 is going to happen.  David, are you still
interested in maintaining this code?  Thanks,

Alex

Re: [PATCH v2] intel-iommu: Fix use after release during device attach

[David Woodhouse]

On Thu, 2011-04-21 at 15:28 +0100, Alex Williamson wrote:
> I've been wondering the exact same thing.  My last patch took weeks of
> prodding, finally went into the maintainer's tree without
> acknowledgment, and there's hardly been any activity there to suggest
> a pull request for 2.6.39 is going to happen.  David, are you still
> interested in maintaining this code?  Thanks, 

Yes, sorry, I've been somewhat snowed under with various things.

This patch has been in my tree for a while, and I've just merged one
more patch which is outstanding and sent Linus a pull request.
 
-- 
dwmw2

Re: [PATCH v2] intel-iommu: Fix use after release during device attach

[Alex Williamson]

On Thu, 2011-04-21 at 16:42 +0100, David Woodhouse wrote:
> On Thu, 2011-04-21 at 15:28 +0100, Alex Williamson wrote:
> > I've been wondering the exact same thing.  My last patch took weeks of
> > prodding, finally went into the maintainer's tree without
> > acknowledgment, and there's hardly been any activity there to suggest
> > a pull request for 2.6.39 is going to happen.  David, are you still
> > interested in maintaining this code?  Thanks, 
> 
> Yes, sorry, I've been somewhat snowed under with various things.
> 
> This patch has been in my tree for a while, and I've just merged one
> more patch which is outstanding and sent Linus a pull request.

Thanks David, I know you've been busy lately.

Alex