From: Jason Gunthorpe <jgg@nvidia.com>
To: Nicolin Chen <nicolinc@nvidia.com>
Cc: agross@kernel.org, bjorn.andersson@linaro.org,
konrad.dybcio@somainline.org, joro@8bytes.org, will@kernel.org,
robin.murphy@arm.com, sricharan@codeaurora.org,
kevin.tian@intel.com, linux-arm-msm@vger.kernel.org,
iommu@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 1/6] iommu/msm: Fix error-out routine in msm_iommu_attach_dev()
Date: Thu, 22 Sep 2022 14:23:22 -0300 [thread overview]
Message-ID: <YyyaCoHC95yyJpOK@nvidia.com> (raw)
In-Reply-To: <23e009bba72c3e46320c59acefbbdd976111cc8a.1663836372.git.nicolinc@nvidia.com>
On Thu, Sep 22, 2022 at 01:53:44AM -0700, Nicolin Chen wrote:
> diff --git a/drivers/iommu/msm_iommu.c b/drivers/iommu/msm_iommu.c
> index 6a24aa804ea3..14df722f0060 100644
> --- a/drivers/iommu/msm_iommu.c
> +++ b/drivers/iommu/msm_iommu.c
> @@ -394,6 +394,34 @@ static struct iommu_device *msm_iommu_probe_device(struct device *dev)
> return &iommu->iommu;
> }
>
> +static void msm_iommu_detach_dev(struct iommu_domain *domain,
> + struct device *dev)
> +{
> + struct msm_priv *priv = to_msm_priv(domain);
> + unsigned long flags;
> + struct msm_iommu_dev *iommu;
> + struct msm_iommu_ctx_dev *master;
> + int ret;
> +
> + free_io_pgtable_ops(priv->iop);
> +
> + spin_lock_irqsave(&msm_iommu_lock, flags);
> + list_for_each_entry(iommu, &priv->list_attached, dom_node) {
> + ret = __enable_clocks(iommu);
> + if (ret)
> + goto fail;
> +
> + list_for_each_entry(master, &iommu->ctx_list, list) {
> + msm_iommu_free_ctx(iommu->context_map, master->num);
> + __reset_context(iommu->base, master->num);
This isn't safe if the loop in msm_iommu_attach_dev() exits
early.
Firstly the it leaves master->num set to -ERRNO so clear_bit will
corrupt memory
Secondly if the attach loop gets half way through the remaining
entries have master->num == 0 and so the clear_bit() will corrupt an
otherwise valid entry.
Fixing all of this properly looks like a big deal, I think we should
drop this patch from the series.
Jason
next prev parent reply other threads:[~2022-09-22 17:23 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-22 8:53 [PATCH v5 0/6] Define EINVAL as device/domain incompatibility Nicolin Chen
2022-09-22 8:53 ` Nicolin Chen
2022-09-22 8:53 ` [PATCH v5 1/6] iommu/msm: Fix error-out routine in msm_iommu_attach_dev() Nicolin Chen
2022-09-22 17:23 ` Jason Gunthorpe [this message]
2022-09-22 18:26 ` Nicolin Chen
2022-09-22 8:53 ` [PATCH v5 2/6] iommu/amd: Drop unnecessary checks in amd_iommu_attach_device() Nicolin Chen
2022-09-22 17:23 ` Jason Gunthorpe
2022-09-22 8:54 ` [PATCH v5 3/6] iommu: Add return value rules to attach_dev op and APIs Nicolin Chen
2022-09-22 8:54 ` Nicolin Chen
2022-09-22 17:24 ` Jason Gunthorpe
2022-09-22 17:24 ` Jason Gunthorpe
2022-09-22 8:54 ` [PATCH v5 4/6] iommu: Regulate EINVAL in ->attach_dev callback functions Nicolin Chen
2022-09-22 8:54 ` Nicolin Chen
2022-09-22 17:25 ` Jason Gunthorpe
2022-09-22 17:25 ` Jason Gunthorpe
2022-09-22 8:54 ` [PATCH v5 5/6] iommu: Use EINVAL for incompatible device/domain in ->attach_dev Nicolin Chen
2022-09-22 8:54 ` Nicolin Chen
2022-09-22 17:50 ` Jason Gunthorpe
2022-09-22 17:50 ` Jason Gunthorpe
2022-09-22 8:54 ` [PATCH v5 6/6] iommu: Propagate return value in ->attach_dev callback functions Nicolin Chen
2022-09-22 8:54 ` Nicolin Chen
2022-09-22 17:51 ` Jason Gunthorpe
2022-09-22 17:51 ` Jason Gunthorpe
2022-09-23 1:09 ` Yong Wu
2022-09-23 1:09 ` Yong Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyyaCoHC95yyJpOK@nvidia.com \
--to=jgg@nvidia.com \
--cc=agross@kernel.org \
--cc=bjorn.andersson@linaro.org \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=konrad.dybcio@somainline.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nicolinc@nvidia.com \
--cc=robin.murphy@arm.com \
--cc=sricharan@codeaurora.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.