From: Joerg Roedel <joro@8bytes.org>
To: Matthew Rosato <mjrosato@linux.ibm.com>
Cc: schnelle@linux.ibm.com, will@kernel.org, robin.murphy@arm.com,
gerald.schaefer@linux.ibm.com, jgg@ziepe.ca,
iommu@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-s390@vger.kernel.org, stable@vger.kernel.org,
Cam Miller <cam@linux.ibm.com>
Subject: Re: [PATCH] iommu/s390: Fix memory corruption when using identity domain
Date: Fri, 5 Sep 2025 14:50:28 +0200 [thread overview]
Message-ID: <aLrclKHjVgTrNWA_@8bytes.org> (raw)
In-Reply-To: <20250827210828.274527-1-mjrosato@linux.ibm.com>
On Wed, Aug 27, 2025 at 05:08:27PM -0400, Matthew Rosato wrote:
> zpci_get_iommu_ctrs() returns counter information to be reported as part
> of device statistics; these counters are stored as part of the s390_domain.
> The problem, however, is that the identity domain is not backed by an
> s390_domain and so the conversion via to_s390_domain() yields a bad address
> that is zero'd initially and read on-demand later via a sysfs read.
> These counters aren't necessary for the identity domain; just return NULL
> in this case.
>
> This issue was discovered via KASAN with reports that look like:
> BUG: KASAN: global-out-of-bounds in zpci_fmb_enable_device
> when using the identity domain for a device on s390.
>
> Cc: stable@vger.kernel.org
> Fixes: 64af12c6ec3a ("iommu/s390: implement iommu passthrough via identity domain")
> Reported-by: Cam Miller <cam@linux.ibm.com>
> Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
> ---
> drivers/iommu/s390-iommu.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
Applied for -rc, thanks.
prev parent reply other threads:[~2025-09-05 12:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-27 21:08 [PATCH] iommu/s390: Fix memory corruption when using identity domain Matthew Rosato
2025-08-28 8:10 ` Niklas Schnelle
2025-08-28 19:44 ` Farhan Ali
2025-09-02 15:52 ` Cam Miller
2025-09-05 12:50 ` Joerg Roedel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLrclKHjVgTrNWA_@8bytes.org \
--to=joro@8bytes.org \
--cc=cam@linux.ibm.com \
--cc=gerald.schaefer@linux.ibm.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjrosato@linux.ibm.com \
--cc=robin.murphy@arm.com \
--cc=schnelle@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.