All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jacob Pan <jacob.jun.pan@linux.intel.com>
To: Joerg Roedel <joro@8bytes.org>
Cc: Pan Bian <bianpan2016@163.com>,
	iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
	David Woodhouse <dwmw2@infradead.org>,
	jacob.jun.pan@linux.intel.com
Subject: Re: iommu/vt-d: drop mm use count if address is not canonical
Date: Fri, 26 Apr 2019 08:47:31 -0700	[thread overview]
Message-ID: <20190426084731.7481d384@jacob-builder> (raw)
In-Reply-To: <20190426133846.GC24576@8bytes.org>

On Fri, 26 Apr 2019 15:38:46 +0200
Joerg Roedel <joro@8bytes.org> wrote:

> [ Adding more people. ]
> 
> On Wed, Apr 17, 2019 at 05:12:57PM +0800, Pan Bian wrote:
> > The use count of svm->mm is incremented by mmget_not_zero. However,
> > it is not dropped when the address is not canonical. This patch
> > fixes the bug.
> > 
> > Fixes: 9d8c3af31607("iommu/vt-d: IOMMU Page Request needs to check
> > if address is canonical.")
> > 
> > Signed-off-by: Pan Bian <bianpan2016@163.com>
> > ---
> >  drivers/iommu/intel-svm.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> > index 3a4b09a..2630d2e 100644
> > --- a/drivers/iommu/intel-svm.c
> > +++ b/drivers/iommu/intel-svm.c
> > @@ -574,8 +574,10 @@ static irqreturn_t prq_event_thread(int irq,
> > void *d) goto bad_req;
> >  
> >  		/* If address is not canonical, return invalid
> > response */
> > -		if (!is_canonical_address(address))
> > +		if (!is_canonical_address(address)) {
> > +			mmput(svm->mm);
> >  			goto bad_req;
> > +		}
> >  
> >  		down_read(&svm->mm->mmap_sem);
> >  		vma = find_extend_vma(svm->mm, address);  
> 
> I think it is better to move the canonical address check before
> mmget_not_zero() like in the diff below. But I let David and Jacob
> comment on this.
> 
Looks good to me. Tested with PRQ and fake non canonical address then
send an invalid page response.

 Tested-by: Jacob Pan <jacob.jun.pan@linux.intel.com>


> Regards,
> 
> 	Joerg
> 
> diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> index 8f87304f915c..5e9e1eee8336 100644
> --- a/drivers/iommu/intel-svm.c
> +++ b/drivers/iommu/intel-svm.c
> @@ -586,14 +586,15 @@ static irqreturn_t prq_event_thread(int irq,
> void *d)
>  		 * any faults on kernel addresses. */
>  		if (!svm->mm)
>  			goto bad_req;
> -		/* If the mm is already defunct, don't handle
> faults. */
> -		if (!mmget_not_zero(svm->mm))
> -			goto bad_req;
>  
>  		/* If address is not canonical, return invalid
> response */ if (!is_canonical_address(address))
>  			goto bad_req;
>  
> +		/* If the mm is already defunct, don't handle
> faults. */
> +		if (!mmget_not_zero(svm->mm))
> +			goto bad_req;
> +
>  		down_read(&svm->mm->mmap_sem);
>  		vma = find_extend_vma(svm->mm, address);
>  		if (!vma || address < vma->vm_start)

[Jacob Pan]

WARNING: multiple messages have this Message-ID (diff)
From: Jacob Pan <jacob.jun.pan@linux.intel.com>
To: Joerg Roedel <joro@8bytes.org>
Cc: Pan Bian <bianpan2016@163.com>,
	David Woodhouse <dwmw2@infradead.org>,
	iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org
Subject: Re: iommu/vt-d: drop mm use count if address is not canonical
Date: Fri, 26 Apr 2019 08:47:31 -0700	[thread overview]
Message-ID: <20190426084731.7481d384@jacob-builder> (raw)
Message-ID: <20190426154731.bO31G6Z2eeDbtbs_jyZuaU7XPWPYc73F0-t42iwBz54@z> (raw)
In-Reply-To: <20190426133846.GC24576@8bytes.org>

On Fri, 26 Apr 2019 15:38:46 +0200
Joerg Roedel <joro@8bytes.org> wrote:

> [ Adding more people. ]
> 
> On Wed, Apr 17, 2019 at 05:12:57PM +0800, Pan Bian wrote:
> > The use count of svm->mm is incremented by mmget_not_zero. However,
> > it is not dropped when the address is not canonical. This patch
> > fixes the bug.
> > 
> > Fixes: 9d8c3af31607("iommu/vt-d: IOMMU Page Request needs to check
> > if address is canonical.")
> > 
> > Signed-off-by: Pan Bian <bianpan2016@163.com>
> > ---
> >  drivers/iommu/intel-svm.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> > index 3a4b09a..2630d2e 100644
> > --- a/drivers/iommu/intel-svm.c
> > +++ b/drivers/iommu/intel-svm.c
> > @@ -574,8 +574,10 @@ static irqreturn_t prq_event_thread(int irq,
> > void *d) goto bad_req;
> >  
> >  		/* If address is not canonical, return invalid
> > response */
> > -		if (!is_canonical_address(address))
> > +		if (!is_canonical_address(address)) {
> > +			mmput(svm->mm);
> >  			goto bad_req;
> > +		}
> >  
> >  		down_read(&svm->mm->mmap_sem);
> >  		vma = find_extend_vma(svm->mm, address);  
> 
> I think it is better to move the canonical address check before
> mmget_not_zero() like in the diff below. But I let David and Jacob
> comment on this.
> 
Looks good to me. Tested with PRQ and fake non canonical address then
send an invalid page response.

 Tested-by: Jacob Pan <jacob.jun.pan@linux.intel.com>


> Regards,
> 
> 	Joerg
> 
> diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> index 8f87304f915c..5e9e1eee8336 100644
> --- a/drivers/iommu/intel-svm.c
> +++ b/drivers/iommu/intel-svm.c
> @@ -586,14 +586,15 @@ static irqreturn_t prq_event_thread(int irq,
> void *d)
>  		 * any faults on kernel addresses. */
>  		if (!svm->mm)
>  			goto bad_req;
> -		/* If the mm is already defunct, don't handle
> faults. */
> -		if (!mmget_not_zero(svm->mm))
> -			goto bad_req;
>  
>  		/* If address is not canonical, return invalid
> response */ if (!is_canonical_address(address))
>  			goto bad_req;
>  
> +		/* If the mm is already defunct, don't handle
> faults. */
> +		if (!mmget_not_zero(svm->mm))
> +			goto bad_req;
> +
>  		down_read(&svm->mm->mmap_sem);
>  		vma = find_extend_vma(svm->mm, address);
>  		if (!vma || address < vma->vm_start)

[Jacob Pan]
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

  reply	other threads:[~2019-04-26 15:47 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-17  9:12 iommu/vt-d: drop mm use count if address is not canonical Pan Bian
2019-04-17  9:12 ` Pan Bian
2019-04-26 13:38 ` Joerg Roedel
2019-04-26 13:38   ` Joerg Roedel
2019-04-26 15:47   ` Jacob Pan [this message]
2019-04-26 15:47     ` Jacob Pan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190426084731.7481d384@jacob-builder \
    --to=jacob.jun.pan@linux.intel.com \
    --cc=bianpan2016@163.com \
    --cc=dwmw2@infradead.org \
    --cc=iommu@lists.linux-foundation.org \
    --cc=joro@8bytes.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.