[PATCH v2] intel-iommu: Fix use after release during device attach

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jan Kiszka <jan.kiszka@siemens.com>
To: Chris Wright <chrisw@sous-sol.org>,
	David Woodhouse <David.Woodhouse@intel.com>
Cc: Sheng Yang <sheng@linux.intel.com>,
	David Woodhouse <dwmw2@infradead.org>,
	iommu@lists.linux-foundation.org,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	kvm <kvm@vger.kernel.org>, Avi Kivity <avi@redhat.com>
Subject: [PATCH v2] intel-iommu: Fix use after release during device attach
Date: Thu, 21 Apr 2011 14:32:07 +0200	[thread overview]
Message-ID: <4DB023C7.5070007@siemens.com> (raw)
In-Reply-To: <4D22F9A4.3050807@web.de>

On 2011-01-04 11:42, Jan Kiszka wrote:
> Am 10.12.2010 19:44, Chris Wright wrote:
>> * Jan Kiszka (jan.kiszka@siemens.com) wrote:
>>>>>> --- a/drivers/pci/intel-iommu.c
>>>>>> +++ b/drivers/pci/intel-iommu.c
>>>>>> @@ -3627,9 +3627,9 @@ static int intel_iommu_attach_device(struct
>>>>>> iommu_domain *domain,
>>>>>>
>>>>>>  		pte = dmar_domain->pgd;
>>>>>>  		if (dma_pte_present(pte)) {
>>>>>> -			free_pgtable_page(dmar_domain->pgd);
>>>>>>  			dmar_domain->pgd = (struct dma_pte *)
>>>>>>  				phys_to_virt(dma_pte_addr(pte));
>>
>> While here, might as well remove the unnecessary cast.
>>
>>>>>> +			free_pgtable_page(pte);
>>>>>>  		}
>>>>>>  		dmar_domain->agaw--;
>>>>>>  	}
>>>>>
>>>>> Reviewed-by: Sheng Yang <sheng@linux.intel.com>
>>
>> Acked-by: Chris Wright <chrisw@sous-sol.org>
>>
>>>>> CC iommu mailing list and David.
>>>>
>>>> Ping...
>>>>
>>>> I think this fix also qualifies for stable (.35 and .36).
>>>>
>>>
>>> Still not merged?
>>
>> David, do you plan to pick this one up?
>>
>> thanks,
>> -chris
> 
> Hmm, still no reaction. Trying David's Intel address now...
> 
> Jan
> 

Walking through my old queues, I came across this one again.

Given the still lacking reaction from the official maintainer, I'm a
bit confused about the state of intel-iommu. Is it unmaintained? Should
this bug fix better be routed through the KVM tree as its only in-tree
user? Please enlighten me.

Note that the patch became stable material for 35..38 in the meantime,
and it should go into 39 before release as well.

Thanks,
Jan

-------8<--------

Obtain the new pgd pointer before releasing the page containing this
value. Remove unneeded cast at this chance as well.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 drivers/pci/intel-iommu.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

v1->v2: Clean up cast as suggested by Chris.

diff --git a/drivers/pci/intel-iommu.c b/drivers/pci/intel-iommu.c
index 505c1c7..b3e5c43 100644
--- a/drivers/pci/intel-iommu.c
+++ b/drivers/pci/intel-iommu.c
@@ -3607,9 +3607,8 @@ static int intel_iommu_attach_device(struct iommu_domain *domain,
 
 		pte = dmar_domain->pgd;
 		if (dma_pte_present(pte)) {
-			free_pgtable_page(dmar_domain->pgd);
-			dmar_domain->pgd = (struct dma_pte *)
-				phys_to_virt(dma_pte_addr(pte));
+			dmar_domain->pgd = phys_to_virt(dma_pte_addr(pte));
+			free_pgtable_page(pte);
 		}
 		dmar_domain->agaw--;
 	}
-- 
1.7.1

next prev parent reply	other threads:[~2011-04-21 12:33 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-02  7:05 [PATCH] intel-iommu: Fix use after release during device attach Jan Kiszka
2010-11-02  7:31 ` Sheng Yang
2010-11-02  7:46   ` Jan Kiszka
2010-11-02  7:57     ` Sheng Yang
2010-11-02  8:00   ` Sheng Yang
2010-11-14  9:18   ` Jan Kiszka
2010-12-10  8:36     ` Jan Kiszka
2010-12-10 18:44       ` Chris Wright
2011-01-04 10:42         ` Jan Kiszka
2011-04-21 12:32           ` Jan Kiszka [this message]
2011-04-21 14:02             ` [PATCH v2] " Chris Wright
2011-04-21 14:28             ` Alex Williamson
2011-04-21 15:42               ` David Woodhouse
2011-04-21 16:14                 ` Alex Williamson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:505c1c7 dfblob:b3e5c43 )
 OR (
bs:"[PATCH v2] intel-iommu: Fix use after release during device attach" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4DB023C7.5070007@siemens.com \
    --to=jan.kiszka@siemens.com \
    --cc=David.Woodhouse@intel.com \
    --cc=avi@redhat.com \
    --cc=chrisw@sous-sol.org \
    --cc=dwmw2@infradead.org \
    --cc=iommu@lists.linux-foundation.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mtosatti@redhat.com \
    --cc=sheng@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.