Re: [PATCH] intel-iommu: Fix use after release during device attach

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jan Kiszka <jan.kiszka@web.de>
To: Sheng Yang <sheng@linux.intel.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	kvm <kvm@vger.kernel.org>, Avi Kivity <avi@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	iommu@lists.linux-foundation.org,
	David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH] intel-iommu: Fix use after release during device attach
Date: Tue, 02 Nov 2010 08:46:11 +0100	[thread overview]
Message-ID: <4CCFC1C3.4070807@web.de> (raw)
In-Reply-To: <201011021531.22886.sheng@linux.intel.com>

[-- Attachment #1: Type: text/plain, Size: 2560 bytes --]

Am 02.11.2010 08:31, Sheng Yang wrote:
> On Tuesday 02 November 2010 15:05:51 Jan Kiszka wrote:
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> Obtail the new pgd pointer before releasing the page containing this
>> value.
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>
>> Who is taking care of this? The kvm tree?
>>
>>  drivers/pci/intel-iommu.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
>> index 4789f8e..35463dd 100644
>> --- a/drivers/pci/intel-iommu.c
>> +++ b/drivers/pci/intel-iommu.c
>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>> iommu_domain *domain,
>>
>>  		pte = dmar_domain->pgd;
>>  		if (dma_pte_present(pte)) {
>> -			free_pgtable_page(dmar_domain->pgd);
>>  			dmar_domain->pgd = (struct dma_pte *)
>>  				phys_to_virt(dma_pte_addr(pte));
>> +			free_pgtable_page(pte);
>>  		}
>>  		dmar_domain->agaw--;
>>  	}
> 
> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
> 
> CC iommu mailing list and David.
> 
> OK, Jan, I got your meaning now. And it's not the exactly swap. :)
> 
> I think the old code is safe, seems it's broken(exposed) by: 
> 
> commit 1a8bd481bfba30515b54368d90a915db3faf302f
> Author: David Woodhouse <David.Woodhouse@intel.com>
> Date:   Tue Aug 10 01:38:53 2010 +0100
> 
>     intel-iommu: Fix 32-bit build warning with __cmpxchg()
>     
>     drivers/pci/intel-iommu.c: In function 'dma_pte_addr':
>     drivers/pci/intel-iommu.c:239: warning: passing argument 1 of '__cmpxchg64' 
> from incompatible pointer typ
>     
>     It seems that __cmpxchg64() now cares about the type of its pointer argument,
>     so give it a (uint64_t *) instead of a pointer to a structure which contains
>     only that.
>     
>     Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
> 
> diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
> index c9171be..603cdc0 100644
> --- a/drivers/pci/intel-iommu.c
> +++ b/drivers/pci/intel-iommu.c
> @@ -236,7 +236,7 @@ static inline u64 dma_pte_addr(struct dma_pte *pte)
>         return pte->val & VTD_PAGE_MASK;
>  #else
>         /* Must have a full atomic 64-bit read */
> -       return  __cmpxchg64(pte, 0ULL, 0ULL) & VTD_PAGE_MASK;
> +       return  __cmpxchg64(&pte->val, 0ULL, 0ULL) & VTD_PAGE_MASK;
>  #endif
>  }
> 
> Seems here is the only affected code?

CONFIG_64BIT is on here, so this change did not make a difference for me.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

next prev parent reply	other threads:[~2010-11-02  7:46 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-02  7:05 [PATCH] intel-iommu: Fix use after release during device attach Jan Kiszka
2010-11-02  7:31 ` Sheng Yang
2010-11-02  7:46   ` Jan Kiszka [this message]
2010-11-02  7:57     ` Sheng Yang
2010-11-02  8:00   ` Sheng Yang
2010-11-14  9:18   ` Jan Kiszka
2010-12-10  8:36     ` Jan Kiszka
2010-12-10 18:44       ` Chris Wright
2011-01-04 10:42         ` Jan Kiszka
2011-04-21 12:32           ` [PATCH v2] " Jan Kiszka
2011-04-21 14:02             ` Chris Wright
2011-04-21 14:28             ` Alex Williamson
2011-04-21 15:42               ` David Woodhouse
2011-04-21 16:14                 ` Alex Williamson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CCFC1C3.4070807@web.de \
    --to=jan.kiszka@web.de \
    --cc=avi@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=iommu@lists.linux-foundation.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mtosatti@redhat.com \
    --cc=sheng@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.