linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
@ 2023-05-09  6:07 Harshit Mogalapalli
  2023-05-09 15:13 ` Dave Jiang
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Harshit Mogalapalli @ 2023-05-09  6:07 UTC (permalink / raw)
  Cc: error27, kernel-janitors, dan.carpenter, Harshit Mogalapalli,
	Fenghua Yu, Dave Jiang, Vinod Koul, dmaengine, linux-kernel

Smatch warns:
	drivers/dma/idxd/cdev.c:327:
		idxd_cdev_open() warn: 'sva' was already freed.

When idxd_wq_set_pasid() fails, the current code unbinds sva and then
goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
again causing the above warning.
[ device_user_pasid_enabled(idxd) is still true when calling
failed_set_pasid ]

Fix this by removing additional unbind when idxd_wq_set_pasid() fails

Fixes: b022f59725f0 ("dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
This is purely based on static analysis. Only compile tested.
---
 drivers/dma/idxd/cdev.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index ecbf67c2ad2b..d32deb9b4e3d 100644
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -277,7 +277,6 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
 		if (wq_dedicated(wq)) {
 			rc = idxd_wq_set_pasid(wq, pasid);
 			if (rc < 0) {
-				iommu_sva_unbind_device(sva);
 				dev_err(dev, "wq set pasid failed: %d\n", rc);
 				goto failed_set_pasid;
 			}
-- 
2.38.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
  2023-05-09  6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
@ 2023-05-09 15:13 ` Dave Jiang
  2023-05-10 22:08 ` Fenghua Yu
  2023-05-16 17:51 ` Vinod Koul
  2 siblings, 0 replies; 4+ messages in thread
From: Dave Jiang @ 2023-05-09 15:13 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: error27, kernel-janitors, dan.carpenter, Fenghua Yu, Vinod Koul,
	dmaengine, linux-kernel



On 5/8/23 11:07 PM, Harshit Mogalapalli wrote:
> Smatch warns:
> 	drivers/dma/idxd/cdev.c:327:
> 		idxd_cdev_open() warn: 'sva' was already freed.
> 
> When idxd_wq_set_pasid() fails, the current code unbinds sva and then
> goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
> again causing the above warning.
> [ device_user_pasid_enabled(idxd) is still true when calling
> failed_set_pasid ]
> 
> Fix this by removing additional unbind when idxd_wq_set_pasid() fails
> 
> Fixes: b022f59725f0 ("dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

Acked-by: Dave Jiang <dave.jiang@intel.com>

Thank you!
> ---
> This is purely based on static analysis. Only compile tested.
> ---
>   drivers/dma/idxd/cdev.c | 1 -
>   1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index ecbf67c2ad2b..d32deb9b4e3d 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -277,7 +277,6 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
>   		if (wq_dedicated(wq)) {
>   			rc = idxd_wq_set_pasid(wq, pasid);
>   			if (rc < 0) {
> -				iommu_sva_unbind_device(sva);
>   				dev_err(dev, "wq set pasid failed: %d\n", rc);
>   				goto failed_set_pasid;
>   			}

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
  2023-05-09  6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
  2023-05-09 15:13 ` Dave Jiang
@ 2023-05-10 22:08 ` Fenghua Yu
  2023-05-16 17:51 ` Vinod Koul
  2 siblings, 0 replies; 4+ messages in thread
From: Fenghua Yu @ 2023-05-10 22:08 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: error27, kernel-janitors, dan.carpenter, Dave Jiang, Vinod Koul,
	dmaengine, linux-kernel



On 5/8/23 23:07, Harshit Mogalapalli wrote:
> Smatch warns:
> 	drivers/dma/idxd/cdev.c:327:
> 		idxd_cdev_open() warn: 'sva' was already freed.
> 
> When idxd_wq_set_pasid() fails, the current code unbinds sva and then
> goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
> again causing the above warning.
> [ device_user_pasid_enabled(idxd) is still true when calling
> failed_set_pasid ]
> 
> Fix this by removing additional unbind when idxd_wq_set_pasid() fails
> 
> Fixes: b022f59725f0 ("dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

Acked-by: Fenghua Yu <fenghua.yu@intel.com>

Thanks.

-Fenghua

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
  2023-05-09  6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
  2023-05-09 15:13 ` Dave Jiang
  2023-05-10 22:08 ` Fenghua Yu
@ 2023-05-16 17:51 ` Vinod Koul
  2 siblings, 0 replies; 4+ messages in thread
From: Vinod Koul @ 2023-05-16 17:51 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: error27, kernel-janitors, dan.carpenter, Fenghua Yu, Dave Jiang,
	dmaengine, linux-kernel

On 08-05-23, 23:07, Harshit Mogalapalli wrote:
> Smatch warns:
> 	drivers/dma/idxd/cdev.c:327:
> 		idxd_cdev_open() warn: 'sva' was already freed.
> 
> When idxd_wq_set_pasid() fails, the current code unbinds sva and then
> goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
> again causing the above warning.
> [ device_user_pasid_enabled(idxd) is still true when calling
> failed_set_pasid ]

Applied, thanks

-- 
~Vinod

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-05-16 17:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-09  6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
2023-05-09 15:13 ` Dave Jiang
2023-05-10 22:08 ` Fenghua Yu
2023-05-16 17:51 ` Vinod Koul

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).