From: Jean-Philippe Brucker <jean-philippe@linaro.org>
To: iommu@lists.linux-foundation.org
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>,
mst@redhat.com, virtualization@lists.linux-foundation.org,
bbhushan2@marvell.com, jasowang@redhat.com
Subject: [PATCH v2 2/3] iommu/virtio: Fix freeing of incomplete domains
Date: Thu, 26 Mar 2020 10:35:57 +0100 [thread overview]
Message-ID: <20200326093558.2641019-3-jean-philippe@linaro.org> (raw)
In-Reply-To: <20200326093558.2641019-1-jean-philippe@linaro.org>
Calling viommu_domain_free() on a domain that hasn't been finalised (not
attached to any device, for example) can currently cause an Oops,
because we attempt to call ida_free() on ID 0, which may either be
unallocated or used by another domain.
Only initialise the vdomain->viommu pointer, which denotes a finalised
domain, at the end of a successful viommu_domain_finalise().
Fixes: edcd69ab9a32 ("iommu: Add virtio-iommu driver")
Reported-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
---
drivers/iommu/virtio-iommu.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c
index cce329d71fba..5eed75cd121f 100644
--- a/drivers/iommu/virtio-iommu.c
+++ b/drivers/iommu/virtio-iommu.c
@@ -613,18 +613,20 @@ static int viommu_domain_finalise(struct viommu_dev *viommu,
int ret;
struct viommu_domain *vdomain = to_viommu_domain(domain);
- vdomain->viommu = viommu;
- vdomain->map_flags = viommu->map_flags;
+ ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain,
+ viommu->last_domain, GFP_KERNEL);
+ if (ret < 0)
+ return ret;
+
+ vdomain->id = (unsigned int)ret;
domain->pgsize_bitmap = viommu->pgsize_bitmap;
domain->geometry = viommu->geometry;
- ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain,
- viommu->last_domain, GFP_KERNEL);
- if (ret >= 0)
- vdomain->id = (unsigned int)ret;
+ vdomain->map_flags = viommu->map_flags;
+ vdomain->viommu = viommu;
- return ret > 0 ? 0 : ret;
+ return 0;
}
static void viommu_domain_free(struct iommu_domain *domain)
--
2.25.1
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Jean-Philippe Brucker <jean-philippe-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
To: iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Cc: Jean-Philippe Brucker
<jean-philippe-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
mst-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
bbhushan2-eYqpPyKDWXRBDgjK7y7TUQ@public.gmane.org,
jasowang-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: [PATCH v2 2/3] iommu/virtio: Fix freeing of incomplete domains
Date: Thu, 26 Mar 2020 10:35:57 +0100 [thread overview]
Message-ID: <20200326093558.2641019-3-jean-philippe@linaro.org> (raw)
In-Reply-To: <20200326093558.2641019-1-jean-philippe-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
Calling viommu_domain_free() on a domain that hasn't been finalised (not
attached to any device, for example) can currently cause an Oops,
because we attempt to call ida_free() on ID 0, which may either be
unallocated or used by another domain.
Only initialise the vdomain->viommu pointer, which denotes a finalised
domain, at the end of a successful viommu_domain_finalise().
Fixes: edcd69ab9a32 ("iommu: Add virtio-iommu driver")
Reported-by: Eric Auger <eric.auger-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Signed-off-by: Jean-Philippe Brucker <jean-philippe-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
drivers/iommu/virtio-iommu.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/iommu/virtio-iommu.c b/drivers/iommu/virtio-iommu.c
index cce329d71fba..5eed75cd121f 100644
--- a/drivers/iommu/virtio-iommu.c
+++ b/drivers/iommu/virtio-iommu.c
@@ -613,18 +613,20 @@ static int viommu_domain_finalise(struct viommu_dev *viommu,
int ret;
struct viommu_domain *vdomain = to_viommu_domain(domain);
- vdomain->viommu = viommu;
- vdomain->map_flags = viommu->map_flags;
+ ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain,
+ viommu->last_domain, GFP_KERNEL);
+ if (ret < 0)
+ return ret;
+
+ vdomain->id = (unsigned int)ret;
domain->pgsize_bitmap = viommu->pgsize_bitmap;
domain->geometry = viommu->geometry;
- ret = ida_alloc_range(&viommu->domain_ids, viommu->first_domain,
- viommu->last_domain, GFP_KERNEL);
- if (ret >= 0)
- vdomain->id = (unsigned int)ret;
+ vdomain->map_flags = viommu->map_flags;
+ vdomain->viommu = viommu;
- return ret > 0 ? 0 : ret;
+ return 0;
}
static void viommu_domain_free(struct iommu_domain *domain)
--
2.25.1
next prev parent reply other threads:[~2020-03-26 9:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 9:35 [PATCH v2 0/3] iommu/virtio: Misc fixes Jean-Philippe Brucker
2020-03-26 9:35 ` Jean-Philippe Brucker
2020-03-26 9:35 ` [PATCH v2 1/3] iommu/virtio: Fix sparse warning Jean-Philippe Brucker
2020-03-26 9:35 ` Jean-Philippe Brucker
2020-03-26 9:35 ` Jean-Philippe Brucker [this message]
2020-03-26 9:35 ` [PATCH v2 2/3] iommu/virtio: Fix freeing of incomplete domains Jean-Philippe Brucker
2020-03-26 12:09 ` Robin Murphy
2020-03-26 12:09 ` Robin Murphy
2020-03-26 9:35 ` [PATCH v2 3/3] iommu/virtio: Reject IOMMU page granule larger than PAGE_SIZE Jean-Philippe Brucker
2020-03-26 9:35 ` Jean-Philippe Brucker
2020-03-26 12:13 ` Robin Murphy
2020-03-26 12:13 ` Robin Murphy
2020-03-26 17:41 ` Auger Eric
2020-03-26 17:41 ` Auger Eric
2020-03-27 5:48 ` [EXT] " Bharat Bhushan
2020-03-27 5:48 ` Bharat Bhushan
2020-03-27 10:11 ` [PATCH v2 0/3] iommu/virtio: Misc fixes Joerg Roedel
2020-03-27 10:11 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200326093558.2641019-3-jean-philippe@linaro.org \
--to=jean-philippe@linaro.org \
--cc=bbhushan2@marvell.com \
--cc=iommu@lists.linux-foundation.org \
--cc=jasowang@redhat.com \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.