From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>,
Will Deacon <will.deacon@arm.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.14 05/67] iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE
Date: Fri, 7 Sep 2018 00:37:24 +0000 [thread overview]
Message-ID: <20180907003716.57737-5-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180907003716.57737-1-alexander.levin@microsoft.com>
From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
[ Upstream commit 29859aeb8a6ea17ba207933a81b6b77b4d4df81a ]
When run on a 64-bit system in selftest, the v7s driver may obtain page
table with physical addresses larger than 32-bit. Level-2 tables are 1KB
and are are allocated with slab, which doesn't accept the GFP_DMA32
flag. Currently map() truncates the address written in the PTE, causing
iova_to_phys() or unmap() to access invalid memory. Kasan reports it as
a use-after-free. To avoid any nasty surprise, test if the physical
address fits in a PTE before returning a new table. 32-bit systems,
which are the main users of this page table format, shouldn't see any
difference.
Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/iommu/io-pgtable-arm-v7s.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/io-pgtable-arm-v7s.c b/drivers/iommu/io-pgtable-arm-v7s.c
index 6961fc393f0b..29b7a6755fcd 100644
--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -192,6 +192,7 @@ static void *__arm_v7s_alloc_table(int lvl, gfp_t gfp,
{
struct io_pgtable_cfg *cfg = &data->iop.cfg;
struct device *dev = cfg->iommu_dev;
+ phys_addr_t phys;
dma_addr_t dma;
size_t size = ARM_V7S_TABLE_SIZE(lvl);
void *table = NULL;
@@ -200,6 +201,10 @@ static void *__arm_v7s_alloc_table(int lvl, gfp_t gfp,
table = (void *)__get_dma_pages(__GFP_ZERO, get_order(size));
else if (lvl == 2)
table = kmem_cache_zalloc(data->l2_tables, gfp | GFP_DMA);
+ phys = virt_to_phys(table);
+ if (phys != (arm_v7s_iopte)phys)
+ /* Doesn't fit in PTE */
+ goto out_free;
if (table && !(cfg->quirks & IO_PGTABLE_QUIRK_NO_DMA)) {
dma = dma_map_single(dev, table, size, DMA_TO_DEVICE);
if (dma_mapping_error(dev, dma))
@@ -209,7 +214,7 @@ static void *__arm_v7s_alloc_table(int lvl, gfp_t gfp,
* address directly, so if the DMA layer suggests otherwise by
* translating or truncating them, that bodes very badly...
*/
- if (dma != virt_to_phys(table))
+ if (dma != phys)
goto out_unmap;
}
kmemleak_ignore(table);
--
2.17.1
next prev parent reply other threads:[~2018-09-07 0:54 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 0:37 [PATCH AUTOSEL 4.14 01/67] usb: dwc3: change stream event enable bit back to 13 Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 03/67] iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 02/67] usb: usbtest: use irqsave() in USB's complete callback Sasha Levin
2018-09-07 5:43 ` Greg Kroah-Hartman
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 04/67] iommu/arm-smmu: Error out only if not enough context interrupts Sasha Levin
2018-09-07 0:37 ` Sasha Levin [this message]
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 06/67] ALSA: pcm: Add __force to cast in snd_pcm_lib_read/write() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 07/67] ALSA: msnd: Fix the default sample sizes Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 08/67] ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 09/67] xfrm: fix 'passing zero to ERR_PTR()' warning Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 11/67] gfs2: Special-case rindex for gfs2_grow Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 10/67] amd-xgbe: use dma_mapping_error to check map errors Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 12/67] clk: imx6ul: fix missing of_node_put() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 13/67] clk: core: Potentially free connection id Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 14/67] clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 15/67] kbuild: add .DELETE_ON_ERROR special target Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 16/67] media: tw686x: Fix oops on buffer alloc failure Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 17/67] dmaengine: pl330: fix irq race with terminate_all Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 18/67] MIPS: ath79: fix system restart Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 19/67] media: videobuf2-core: check for q->error in vb2_core_qbuf() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 21/67] block: allow max_discard_segments to be stacked Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 20/67] IB/rxe: Drop QP0 silently Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 22/67] IB/ipoib: Fix error return code in ipoib_dev_init() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 24/67] media: ov5645: Supported external clock is 24MHz Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 23/67] mtd/maps: fix solutionengine.c printk format warnings Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 25/67] perf test: Fix subtest number when showing results Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 27/67] ARM: exynos: Define EINT_WAKEUP_MASK registers for S5Pv210 and Exynos5433 Sasha Levin
2018-09-07 6:33 ` Krzysztof Kozlowski
2018-09-12 17:44 ` Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 26/67] gfs2: Don't reject a supposedly full bitmap if we have blocks reserved Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 28/67] perf tools: Synthesize GROUP_DESC feature in pipe mode Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 29/67] iio: ad9523: Fix displayed phase Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 31/67] fbdev: omapfb: off by one in omapfb_register_client() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 30/67] iio: sca3000: Fix missing return in switch Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 32/67] perf tools: Fix struct comm_str removal crash Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 33/67] video: goldfishfb: fix memory leak on driver remove Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 34/67] fbdev/via: fix defined but not used warning Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 35/67] perf powerpc: Fix callchain ip filtering when return address is in a register Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 36/67] video: fbdev: pxafb: clear allocated memory for video modes Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 37/67] fbdev: Distinguish between interlaced and progressive modes Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 38/67] ARM: exynos: Clear global variable on init error path Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 39/67] perf powerpc: Fix callchain ip filtering Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 40/67] nvme-rdma: unquiesce queues when deleting the controller Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 42/67] powerpc/powernv: opal_put_chars partial write fix Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 41/67] KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 43/67] staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 44/67] staging: bcm2835-camera: handle wait_for_completion_timeout return properly Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 45/67] ASoC: rt5514: Fix the issue of the delay volume applied Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 46/67] MIPS: jz4740: Bump zload address Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 47/67] mac80211: restrict delayed tailroom needed decrement Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 48/67] Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 49/67] wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 50/67] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 51/67] reset: imx7: Fix always writing bits as 0 Sasha Levin
2018-09-07 0:37 ` [PATCH AUTOSEL 4.14 52/67] efi/arm: preserve early mapping of UEFI memory map longer for BGRT Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 54/67] xen-netfront: fix queue name setting Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 53/67] nfp: avoid buffer leak when FW communication fails Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 55/67] arm64: dts: qcom: db410c: Fix Bluetooth LED trigger Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 56/67] ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 57/67] s390/qeth: fix race in used-buffer accounting Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 59/67] platform/x86: toshiba_acpi: Fix defined but not used build warnings Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 58/67] s390/qeth: reset layer2 attribute on layer switch Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 60/67] KVM: arm/arm64: Fix vgic init race Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 62/67] i2c: aspeed: Fix initial values of master and slave state Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 61/67] drivers/base: stop new probing during shutdown Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 63/67] dmaengine: mv_xor_v2: kill the tasklets upon exit Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 64/67] crypto: sharah - Unregister correct algorithms for SAHARA 3 Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 65/67] x86/pti: Check the return value of pti_user_pagetable_walk_p4d() Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 66/67] x86/pti: Check the return value of pti_user_pagetable_walk_pmd() Sasha Levin
2018-09-07 0:38 ` [PATCH AUTOSEL 4.14 67/67] x86/mm/pti: Add an overflow check to pti_clone_pmds() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180907003716.57737-5-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=jean-philippe.brucker@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).