* [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
@ 2023-05-09 6:07 Harshit Mogalapalli
2023-05-09 15:13 ` Dave Jiang
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Harshit Mogalapalli @ 2023-05-09 6:07 UTC (permalink / raw)
Cc: error27, kernel-janitors, dan.carpenter, Harshit Mogalapalli,
Fenghua Yu, Dave Jiang, Vinod Koul, dmaengine, linux-kernel
Smatch warns:
drivers/dma/idxd/cdev.c:327:
idxd_cdev_open() warn: 'sva' was already freed.
When idxd_wq_set_pasid() fails, the current code unbinds sva and then
goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
again causing the above warning.
[ device_user_pasid_enabled(idxd) is still true when calling
failed_set_pasid ]
Fix this by removing additional unbind when idxd_wq_set_pasid() fails
Fixes: b022f59725f0 ("dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
This is purely based on static analysis. Only compile tested.
---
drivers/dma/idxd/cdev.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
index ecbf67c2ad2b..d32deb9b4e3d 100644
--- a/drivers/dma/idxd/cdev.c
+++ b/drivers/dma/idxd/cdev.c
@@ -277,7 +277,6 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
if (wq_dedicated(wq)) {
rc = idxd_wq_set_pasid(wq, pasid);
if (rc < 0) {
- iommu_sva_unbind_device(sva);
dev_err(dev, "wq set pasid failed: %d\n", rc);
goto failed_set_pasid;
}
--
2.38.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
2023-05-09 6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
@ 2023-05-09 15:13 ` Dave Jiang
2023-05-10 22:08 ` Fenghua Yu
2023-05-16 17:51 ` Vinod Koul
2 siblings, 0 replies; 4+ messages in thread
From: Dave Jiang @ 2023-05-09 15:13 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: error27, kernel-janitors, dan.carpenter, Fenghua Yu, Vinod Koul,
dmaengine, linux-kernel
On 5/8/23 11:07 PM, Harshit Mogalapalli wrote:
> Smatch warns:
> drivers/dma/idxd/cdev.c:327:
> idxd_cdev_open() warn: 'sva' was already freed.
>
> When idxd_wq_set_pasid() fails, the current code unbinds sva and then
> goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
> again causing the above warning.
> [ device_user_pasid_enabled(idxd) is still true when calling
> failed_set_pasid ]
>
> Fix this by removing additional unbind when idxd_wq_set_pasid() fails
>
> Fixes: b022f59725f0 ("dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Acked-by: Dave Jiang <dave.jiang@intel.com>
Thank you!
> ---
> This is purely based on static analysis. Only compile tested.
> ---
> drivers/dma/idxd/cdev.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
> index ecbf67c2ad2b..d32deb9b4e3d 100644
> --- a/drivers/dma/idxd/cdev.c
> +++ b/drivers/dma/idxd/cdev.c
> @@ -277,7 +277,6 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
> if (wq_dedicated(wq)) {
> rc = idxd_wq_set_pasid(wq, pasid);
> if (rc < 0) {
> - iommu_sva_unbind_device(sva);
> dev_err(dev, "wq set pasid failed: %d\n", rc);
> goto failed_set_pasid;
> }
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
2023-05-09 6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
2023-05-09 15:13 ` Dave Jiang
@ 2023-05-10 22:08 ` Fenghua Yu
2023-05-16 17:51 ` Vinod Koul
2 siblings, 0 replies; 4+ messages in thread
From: Fenghua Yu @ 2023-05-10 22:08 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: error27, kernel-janitors, dan.carpenter, Dave Jiang, Vinod Koul,
dmaengine, linux-kernel
On 5/8/23 23:07, Harshit Mogalapalli wrote:
> Smatch warns:
> drivers/dma/idxd/cdev.c:327:
> idxd_cdev_open() warn: 'sva' was already freed.
>
> When idxd_wq_set_pasid() fails, the current code unbinds sva and then
> goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
> again causing the above warning.
> [ device_user_pasid_enabled(idxd) is still true when calling
> failed_set_pasid ]
>
> Fix this by removing additional unbind when idxd_wq_set_pasid() fails
>
> Fixes: b022f59725f0 ("dmaengine: idxd: add idxd_copy_cr() to copy user completion record during page fault handling")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Acked-by: Fenghua Yu <fenghua.yu@intel.com>
Thanks.
-Fenghua
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open()
2023-05-09 6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
2023-05-09 15:13 ` Dave Jiang
2023-05-10 22:08 ` Fenghua Yu
@ 2023-05-16 17:51 ` Vinod Koul
2 siblings, 0 replies; 4+ messages in thread
From: Vinod Koul @ 2023-05-16 17:51 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: error27, kernel-janitors, dan.carpenter, Fenghua Yu, Dave Jiang,
dmaengine, linux-kernel
On 08-05-23, 23:07, Harshit Mogalapalli wrote:
> Smatch warns:
> drivers/dma/idxd/cdev.c:327:
> idxd_cdev_open() warn: 'sva' was already freed.
>
> When idxd_wq_set_pasid() fails, the current code unbinds sva and then
> goes to 'failed_set_pasid' where iommu_sva_unbind_device is called
> again causing the above warning.
> [ device_user_pasid_enabled(idxd) is still true when calling
> failed_set_pasid ]
Applied, thanks
--
~Vinod
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-05-16 17:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-09 6:07 [PATCH] dmaengine: idxd: Fix passing freed memory in idxd_cdev_open() Harshit Mogalapalli
2023-05-09 15:13 ` Dave Jiang
2023-05-10 22:08 ` Fenghua Yu
2023-05-16 17:51 ` Vinod Koul
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).