Crash in intel_iommu_assign

kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Crash in intel_iommu_assign_device
@ 2010-11-01 11:41 Jan Kiszka
  2010-11-02  6:52 ` Sheng Yang
  0 siblings, 1 reply; 3+ messages in thread
From: Jan Kiszka @ 2010-11-01 11:41 UTC (permalink / raw)
  To: Sheng Yang; +Cc: kvm, Linux Kernel Mailing List

[-- Attachment #1: Type: text/plain, Size: 565 bytes --]

Hi Sheng,

I'm not claiming to understand the details, but this looks like use
(dereference of pte via dma_pte_addr) after release (free_pgtable_page
of dmar_domain->pgd aka pte) to me:

static int intel_iommu_attach_device(struct iommu_domain *domain,
				     struct device *dev)
{
	[...]
		pte = dmar_domain->pgd;
		if (dma_pte_present(pte)) {
			free_pgtable_page(dmar_domain->pgd);
			dmar_domain->pgd = (struct dma_pte *)
				phys_to_virt(dma_pte_addr(pte));
		}

At least it crashes here right on pte->val access. Swap both lines?

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Crash in intel_iommu_assign_device
  2010-11-01 11:41 Crash in intel_iommu_assign_device Jan Kiszka
@ 2010-11-02  6:52 ` Sheng Yang
  2010-11-02  7:07   ` Jan Kiszka
  0 siblings, 1 reply; 3+ messages in thread
From: Sheng Yang @ 2010-11-02  6:52 UTC (permalink / raw)
  To: Jan Kiszka; +Cc: kvm, Linux Kernel Mailing List

On Monday 01 November 2010 19:41:21 Jan Kiszka wrote:
> Hi Sheng,
> 
> I'm not claiming to understand the details, but this looks like use
> (dereference of pte via dma_pte_addr) after release (free_pgtable_page
> of dmar_domain->pgd aka pte) to me:
> 
> static int intel_iommu_attach_device(struct iommu_domain *domain,
> 				     struct device *dev)
> {
> 	[...]
> 		pte = dmar_domain->pgd;
> 		if (dma_pte_present(pte)) {
> 			free_pgtable_page(dmar_domain->pgd);
> 			dmar_domain->pgd = (struct dma_pte *)
> 				phys_to_virt(dma_pte_addr(pte));
> 		}
> 
> At least it crashes here right on pte->val access. Swap both lines?

I think code is right.

The comment above indicate the case: the code want to decrease the level of page 
table. Mostly it is a 4 level page table, and the code would turn it into 3 levels 
pagetable. What the code did is just get the first entry of the old pagetable level 
4, then free the level 4 pagetable's page, and make the pagetable to a level 3 
pagetable.

Seems it make no sense to swap the lines...

--
regards
Yang, Sheng

> 
> Jan

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Crash in intel_iommu_assign_device
  2010-11-02  6:52 ` Sheng Yang
@ 2010-11-02  7:07   ` Jan Kiszka
  0 siblings, 0 replies; 3+ messages in thread
From: Jan Kiszka @ 2010-11-02  7:07 UTC (permalink / raw)
  To: Sheng Yang; +Cc: kvm, Linux Kernel Mailing List

[-- Attachment #1: Type: text/plain, Size: 1263 bytes --]

Am 02.11.2010 07:52, Sheng Yang wrote:
> On Monday 01 November 2010 19:41:21 Jan Kiszka wrote:
>> Hi Sheng,
>>
>> I'm not claiming to understand the details, but this looks like use
>> (dereference of pte via dma_pte_addr) after release (free_pgtable_page
>> of dmar_domain->pgd aka pte) to me:
>>
>> static int intel_iommu_attach_device(struct iommu_domain *domain,
>> 				     struct device *dev)
>> {
>> 	[...]
>> 		pte = dmar_domain->pgd;
>> 		if (dma_pte_present(pte)) {
>> 			free_pgtable_page(dmar_domain->pgd);
>> 			dmar_domain->pgd = (struct dma_pte *)
>> 				phys_to_virt(dma_pte_addr(pte));
>> 		}
>>
>> At least it crashes here right on pte->val access. Swap both lines?
> 
> I think code is right.
> 
> The comment above indicate the case: the code want to decrease the level of page 
> table. Mostly it is a 4 level page table, and the code would turn it into 3 levels 
> pagetable. What the code did is just get the first entry of the old pagetable level 
> 4, then free the level 4 pagetable's page, and make the pagetable to a level 3 
> pagetable.
> 
> Seems it make no sense to swap the lines...

It fixes the crash here, and I'm convinced the current code is wrong.
See the patch I've just sent out.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-11-02  7:07 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-01 11:41 Crash in intel_iommu_assign_device Jan Kiszka
2010-11-02  6:52 ` Sheng Yang
2010-11-02  7:07   ` Jan Kiszka

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).