From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kiszka <jan.kiszka@web.de>
Subject: Crash in intel_iommu_assign_device
Date: Mon, 01 Nov 2010 12:41:21 +0100
Message-ID: <4CCEA761.90501@web.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig23DDEB05B3DB580A79978CFC"
Cc: kvm <kvm@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
To: Sheng Yang <sheng@linux.intel.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from fmmailgate03.web.de ([217.72.192.234]:43386 "EHLO
	fmmailgate03.web.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754958Ab0KALlX (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 1 Nov 2010 07:41:23 -0400
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig23DDEB05B3DB580A79978CFC
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Hi Sheng,

I'm not claiming to understand the details, but this looks like use
(dereference of pte via dma_pte_addr) after release (free_pgtable_page
of dmar_domain->pgd aka pte) to me:

static int intel_iommu_attach_device(struct iommu_domain *domain,
				     struct device *dev)
{
	[...]
		pte =3D dmar_domain->pgd;
		if (dma_pte_present(pte)) {
			free_pgtable_page(dmar_domain->pgd);
			dmar_domain->pgd =3D (struct dma_pte *)
				phys_to_virt(dma_pte_addr(pte));
		}

At least it crashes here right on pte->val access. Swap both lines?

Jan


--------------enig23DDEB05B3DB580A79978CFC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkzOp2EACgkQitSsb3rl5xSdOwCgsIx3Az50hzochjariFjdie6T
G1MAni4HlDU3pf3/fB+4yC0BvPKOpxti
=aCuo
-----END PGP SIGNATURE-----

--------------enig23DDEB05B3DB580A79978CFC--