From: sashiko-bot@kernel.org
To: "Guanghui Feng" <guanghuifeng@linux.alibaba.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v3 15/32] iommu/mtk_v1: implement iova_to_phys_length
Date: Wed, 03 Jun 2026 15:58:50 +0000 [thread overview]
Message-ID: <20260603155850.D86141F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260603151804.1963871-16-guanghuifeng@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing IOVA bounds checking leads to out-of-bounds array read/write on the `pgt_va` array.
--
commit 3d307c9faf5208f019d6a8f030da9330ce0aa29b
Author: Guanghui Feng <guanghuifeng@linux.alibaba.com>
iommu/mtk_v1: implement iova_to_phys_length
Implement iova_to_phys_length for MediaTek v1 IOMMU driver,
returning the actual PTE mapping size.
Also fix pre-existing bug: add page offset to physical address.
> diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c
> index ac97dd2868d4b..da41dda7620b8 100644
> --- a/drivers/iommu/mtk_iommu_v1.c
> +++ b/drivers/iommu/mtk_iommu_v1.c
[ ... ]
> -static phys_addr_t mtk_iommu_v1_iova_to_phys(struct iommu_domain *domain, dma_addr_t iova)
> +static phys_addr_t mtk_iommu_v1_iova_to_phys_length(struct iommu_domain *domain,
> + dma_addr_t iova,
> + size_t *mapped_length)
> {
> struct mtk_iommu_v1_domain *dom = to_mtk_domain(domain);
> unsigned long flags;
> @@ -404,6 +406,13 @@ static phys_addr_t mtk_iommu_v1_iova_to_phys(struct iommu_domain *domain, dma_ad
> pa = pa & (~(MT2701_IOMMU_PAGE_SIZE - 1));
[Severity: High]
This is a pre-existing issue, but does this array access lack bounds
checking on the iova parameter?
Looking at the code just above this line in mtk_iommu_v1_iova_to_phys_length():
pa = *(dom->pgt_va + (iova >> MT2701_IOMMU_PAGE_SHIFT));
Since the driver doesn't appear to initialize domain.geometry.aperture_end
or set force_aperture = true, the generic IOMMU layer won't enforce an
upper limit on the IOVA.
If a user-space program using VFIO or a device with a >32-bit DMA mask
requests an IOVA >= 4GB, the index calculated by
(iova >> MT2701_IOMMU_PAGE_SHIFT) could exceed the bounds of the 4MB
pgt_va array, leading to an out-of-bounds read here.
This same out-of-bounds access pattern also seems to occur in
mtk_iommu_v1_map() and mtk_iommu_v1_unmap() when calculating pgt_base_iova,
where it can lead to memory corruption during out-of-bounds writes.
> spin_unlock_irqrestore(&dom->pgtlock, flags);
>
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260603151804.1963871-1-guanghuifeng@linux.alibaba.com?part=15
next prev parent reply other threads:[~2026-06-03 15:58 UTC|newest]
Thread overview: 144+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 7:09 [RFC PATCH] Optimize VFIO and IOMMU mapping traversal Guanghui Feng
2026-05-29 7:52 ` sashiko-bot
2026-05-29 11:51 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 0/9] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-05-31 9:36 ` [PATCH 1/9] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-05-31 9:54 ` sashiko-bot
2026-05-31 23:51 ` Jason Gunthorpe
2026-06-01 8:41 ` guanghuifeng
2026-06-01 13:43 ` Jason Gunthorpe
2026-06-01 14:14 ` guanghuifeng
2026-06-01 14:31 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 2/9] iommu/io-pgtable: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-05-31 10:03 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 3/9] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-05-31 10:12 ` sashiko-bot
2026-05-31 23:54 ` Jason Gunthorpe
2026-06-01 9:23 ` guanghuifeng
[not found] ` <fa924b86-1ca9-4819-8330-0d5f6ede8923@linux.alibaba.com>
2026-06-01 14:32 ` Jason Gunthorpe
2026-06-02 7:20 ` guanghuifeng
2026-06-02 12:32 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 4/9] iommu/arm-smmu: " Guanghui Feng
2026-05-31 10:22 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 5/9] iommu: apple-dart/ipmmu/mtk_iommu " Guanghui Feng
2026-05-31 10:32 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 6/9] iommu: direct page-table drivers " Guanghui Feng
2026-05-31 10:47 ` sashiko-bot
2026-05-31 9:36 ` [PATCH 7/9] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-05-31 11:01 ` sashiko-bot
2026-05-31 23:58 ` Jason Gunthorpe
2026-05-31 9:36 ` [PATCH 8/9] drm/gpu, iommu/io-pgtable: switch to iova_to_phys_length Guanghui Feng
2026-05-31 9:36 ` [PATCH 9/9] iommu: remove deprecated iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-05-31 11:17 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 00/30] iommu: introduce iova_to_phys_length for efficient IOVA-to-physical translation Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 01/30] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-02 11:05 ` sashiko-bot
2026-06-03 1:08 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 02/30] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 03/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 04/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 05/30] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-02 11:06 ` sashiko-bot
2026-06-03 1:11 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 06/30] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 07/30] iommu/arm-smmu: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 08/30] iommu/qcom_iommu: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 09/30] iommu/apple-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 10/30] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 1:13 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 11/30] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 1:17 ` Jason Gunthorpe
2026-06-02 10:46 ` [PATCH v2 12/30] iommu/exynos: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 13/30] iommu/fsl_pamu: " Guanghui Feng
2026-06-02 11:02 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 14/30] iommu/msm: " Guanghui Feng
2026-06-02 11:04 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 15/30] iommu/mtk_v1: " Guanghui Feng
2026-06-02 11:12 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 16/30] iommu/omap: " Guanghui Feng
2026-06-02 11:09 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 17/30] iommu/rockchip: " Guanghui Feng
2026-06-02 11:03 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 18/30] iommu/s390: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 19/30] iommu/sprd: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 20/30] iommu/sun50i: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 21/30] iommu/tegra-smmu: " Guanghui Feng
2026-06-02 11:10 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 22/30] iommu/virtio: " Guanghui Feng
2026-06-02 11:15 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 23/30] vfio/iommufd: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 24/30] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-02 11:14 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 25/30] drm/panthor: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 26/30] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 27/30] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-02 13:22 ` sashiko-bot
2026-06-02 10:46 ` [PATCH v2 28/30] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 29/30] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-02 10:46 ` [PATCH v2 30/30] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-02 11:16 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 00/32] iommu: introduce iova_to_phys_length and remove iova_to_phys Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 01/32] iommu: introduce iova_to_phys_length in iommu_domain_ops Guanghui Feng
2026-06-03 15:38 ` sashiko-bot
2026-06-04 2:44 ` Baolu Lu
2026-06-04 14:16 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 02/32] iommu/io-pgtable-arm: introduce iova_to_phys_length in io_pgtable_ops Guanghui Feng
2026-06-03 15:35 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 03/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 04/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 05/32] iommu/generic_pt: implement iova_to_phys_length Guanghui Feng
2026-06-03 15:39 ` sashiko-bot
2026-06-04 3:30 ` Baolu Lu
2026-06-04 14:12 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 06/32] iommu/arm-smmu-v3: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 07/32] iommu/arm-smmu: " Guanghui Feng
2026-06-03 15:42 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 08/32] iommu/qcom_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 09/32] iommu/apple-dart: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 10/32] iommu/ipmmu-vmsa: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 11/32] iommu/mtk_iommu: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 12/32] iommu/exynos: " Guanghui Feng
2026-06-03 15:46 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 13/32] iommu/fsl_pamu: " Guanghui Feng
2026-06-03 15:48 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 14/32] iommu/msm: " Guanghui Feng
2026-06-03 15:51 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 15/32] iommu/mtk_v1: " Guanghui Feng
2026-06-03 15:58 ` sashiko-bot [this message]
2026-06-03 15:17 ` [PATCH v3 16/32] iommu/omap: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 17/32] iommu/rockchip: " Guanghui Feng
2026-06-03 15:53 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 18/32] iommu/s390: " Guanghui Feng
2026-06-03 16:03 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 19/32] iommu/sprd: " Guanghui Feng
2026-06-03 15:57 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 20/32] iommu/sun50i: " Guanghui Feng
2026-06-03 15:17 ` [PATCH v3 21/32] iommu/tegra-smmu: " Guanghui Feng
2026-06-03 16:04 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 22/32] iommu/virtio: " Guanghui Feng
2026-06-03 16:10 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 23/32] vfio: use iova_to_phys_length for efficient unmap Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:27 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 24/32] iommufd: " Guanghui Feng
2026-06-03 16:14 ` sashiko-bot
2026-06-04 14:26 ` Jason Gunthorpe
2026-06-03 15:17 ` [PATCH v3 25/32] iommufd/selftest: switch to iommu_iova_to_phys_length Guanghui Feng
2026-06-03 16:17 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 26/32] drm/panfrost: switch to iova_to_phys_length Guanghui Feng
2026-06-03 16:13 ` sashiko-bot
2026-06-03 15:17 ` [PATCH v3 27/32] drm/panthor: " Guanghui Feng
2026-06-03 16:16 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 28/32] iommu/io-pgtable: selftests " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 29/32] iommu/io-pgtable-arm: remove deprecated iova_to_phys wrapper Guanghui Feng
2026-06-03 16:32 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 30/32] iommu/io-pgtable-arm-v7s: " Guanghui Feng
2026-06-03 16:31 ` sashiko-bot
2026-06-03 15:18 ` [PATCH v3 31/32] iommu/io-pgtable-dart: " Guanghui Feng
2026-06-03 15:18 ` [PATCH v3 32/32] iommu: remove iova_to_phys from domain_ops and io_pgtable_ops Guanghui Feng
2026-06-03 16:26 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603155850.D86141F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=guanghuifeng@linux.alibaba.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox