From: Joerg Roedel <jroedel@suse.de>
To: Qian Cai <cai@lca.pw>
Cc: tmurphy@arista.com, iommu@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH -next v2] iommu/amd: fix a null-ptr-deref in map_sg()
Date: Tue, 7 May 2019 09:39:01 +0200 [thread overview]
Message-ID: <20190507073901.GC3486@suse.de> (raw)
In-Reply-To: <20190506164440.37399-1-cai@lca.pw>
Hi Qian,
On Mon, May 06, 2019 at 12:44:40PM -0400, Qian Cai wrote:
> The commit 1a1079011da3 ("iommu/amd: Flush not present cache in
> iommu_map_page") added domain_flush_np_cache() in map_sg() which
> triggered a crash below during boot. sg_next() could return NULL if
> sg_is_last() is true, so after for_each_sg(sglist, s, nelems, i), "s"
> could be NULL which ends up deferencing a NULL pointer later here,
>
> domain_flush_np_cache(domain, s->dma_address, s->dma_length);
>
> so move domain_flush_np_cache() call inside for_each_sg() to loop over
> each sg element.
Thanks for the fix, but it is too late to merge it into the tree. I am
going to revert commit 1a1079011da3 for now and we can try again in the
next cycle.
Thanks,
Joerg
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
WARNING: multiple messages have this Message-ID (diff)
From: Joerg Roedel <jroedel@suse.de>
To: Qian Cai <cai@lca.pw>
Cc: tmurphy@arista.com, iommu@lists.linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH -next v2] iommu/amd: fix a null-ptr-deref in map_sg()
Date: Tue, 7 May 2019 09:39:01 +0200 [thread overview]
Message-ID: <20190507073901.GC3486@suse.de> (raw)
In-Reply-To: <20190506164440.37399-1-cai@lca.pw>
Hi Qian,
On Mon, May 06, 2019 at 12:44:40PM -0400, Qian Cai wrote:
> The commit 1a1079011da3 ("iommu/amd: Flush not present cache in
> iommu_map_page") added domain_flush_np_cache() in map_sg() which
> triggered a crash below during boot. sg_next() could return NULL if
> sg_is_last() is true, so after for_each_sg(sglist, s, nelems, i), "s"
> could be NULL which ends up deferencing a NULL pointer later here,
>
> domain_flush_np_cache(domain, s->dma_address, s->dma_length);
>
> so move domain_flush_np_cache() call inside for_each_sg() to loop over
> each sg element.
Thanks for the fix, but it is too late to merge it into the tree. I am
going to revert commit 1a1079011da3 for now and we can try again in the
next cycle.
Thanks,
Joerg
next prev parent reply other threads:[~2019-05-07 11:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-06 16:44 [PATCH -next v2] iommu/amd: fix a null-ptr-deref in map_sg() Qian Cai
2019-05-06 16:44 ` Qian Cai
2019-05-07 7:39 ` Joerg Roedel [this message]
2019-05-07 7:39 ` Joerg Roedel
2019-06-06 14:12 ` Tom Murphy via iommu
2019-06-06 14:12 ` Tom Murphy
2019-06-12 8:04 ` Joerg Roedel
2019-06-12 8:04 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190507073901.GC3486@suse.de \
--to=jroedel@suse.de \
--cc=cai@lca.pw \
--cc=iommu@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tmurphy@arista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.