From: Russell King <rmk+kernel-lFZ/pmaqli7XmaaqVzeoHQ@public.gmane.org>
To: iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Hiroshi Doyu <hdoyu-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>,
Joerg Roedel <joro-zLv9SwRftAIdnm+yROfE0A@public.gmane.org>,
Stephen Warren <swarren-3lzwWm7+Weoh9ZMKESR00Q@public.gmane.org>,
Thierry Reding
<thierry.reding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Alexandre Courbot
<gnurou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: [PATCH 04/18] iommu: tegra-smmu: fix unmap() method
Date: Mon, 27 Jul 2015 13:29:05 +0100 [thread overview]
Message-ID: <E1ZJhWj-000477-OT@rmk-PC.arm.linux.org.uk> (raw)
In-Reply-To: <20150727122824.GH7557-l+eeeJia6m9vn6HldHNs0ANdhmdF6hFW@public.gmane.org>
The Tegra SMMU unmap path has several problems:
1. as_pte_put() can perform a write-after-free
2. tegra_smmu_unmap() can perform cache maintanence on a page we have
just freed.
3. when a page table is unmapped, there is no CPU cache maintanence of
the write clearing the page directory entry, nor is there any
maintanence of the IOMMU to ensure that it sees the page table has
gone.
Fix this by getting rid of as_pte_put(), and instead coding the PTE
unmap separately from the PDE unmap, placing the PDE unmap after the
PTE unmap has been completed.
Signed-off-by: Russell King <rmk+kernel-lFZ/pmaqli7XmaaqVzeoHQ@public.gmane.org>
---
drivers/iommu/tegra-smmu.c | 37 +++++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 14 deletions(-)
diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c
index 083354903a1a..a7a7645fb268 100644
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -509,29 +509,35 @@ static u32 *as_get_pte(struct tegra_smmu_as *as, dma_addr_t iova,
return &pt[pte];
}
-static void as_put_pte(struct tegra_smmu_as *as, dma_addr_t iova)
+static void tegra_smmu_pte_put_use(struct tegra_smmu_as *as, unsigned long iova)
{
+ struct tegra_smmu *smmu = as->smmu;
u32 pde = (iova >> SMMU_PDE_SHIFT) & 0x3ff;
- u32 pte = (iova >> SMMU_PTE_SHIFT) & 0x3ff;
u32 *count = page_address(as->count);
- u32 *pd = page_address(as->pd), *pt;
+ u32 *pd = page_address(as->pd);
struct page *page;
- page = pfn_to_page(pd[pde] & as->smmu->pfn_mask);
- pt = page_address(page);
+ page = pfn_to_page(pd[pde] & smmu->pfn_mask);
/*
* When no entries in this page table are used anymore, return the
* memory page to the system.
*/
- if (pt[pte] != 0) {
- if (--count[pde] == 0) {
- ClearPageReserved(page);
- __free_page(page);
- pd[pde] = 0;
- }
+ if (--count[pde] == 0) {
+ unsigned int offset = pde * sizeof(*pd);
- pt[pte] = 0;
+ /* Clear the page directory entry first */
+ pd[pde] = 0;
+
+ /* Flush the page directory entry */
+ smmu->soc->ops->flush_dcache(as->pd, offset, sizeof(*pd));
+ smmu_flush_ptc(smmu, as->pd, offset);
+ smmu_flush_tlb_section(smmu, as->id, iova);
+ smmu_flush(smmu);
+
+ /* Finally, free the page */
+ ClearPageReserved(page);
+ __free_page(page);
}
}
@@ -569,17 +575,20 @@ static size_t tegra_smmu_unmap(struct iommu_domain *domain, unsigned long iova,
u32 *pte;
pte = as_get_pte(as, iova, &page);
- if (!pte)
+ if (!pte || !*pte)
return 0;
+ *pte = 0;
+
offset = offset_in_page(pte);
- as_put_pte(as, iova);
smmu->soc->ops->flush_dcache(page, offset, 4);
smmu_flush_ptc(smmu, page, offset);
smmu_flush_tlb_group(smmu, as->id, iova);
smmu_flush(smmu);
+ tegra_smmu_pte_put_use(as, iova);
+
return size;
}
--
2.1.0
next prev parent reply other threads:[~2015-07-27 12:29 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-27 12:28 [PATCH 00/18] Clean up exposure of arch-internal code Russell King - ARM Linux
2015-07-27 12:28 ` [PATCH 02/18] firmware: qcom_scm-32: replace open-coded call to __cpuc_flush_dcache_area() Russell King
[not found] ` <E1ZJhWZ-00043Z-Ft-eh5Bv4kxaXIANfyc6IWni62ZND6+EDdj@public.gmane.org>
2015-08-04 18:48 ` Andy Gross
2015-08-04 18:50 ` Stephen Boyd
2015-07-27 12:29 ` [PATCH 03/18] iommu: tegra-smmu: fix iova_to_phys() method Russell King
[not found] ` <20150727122824.GH7557-l+eeeJia6m9vn6HldHNs0ANdhmdF6hFW@public.gmane.org>
2015-07-27 12:28 ` [PATCH 01/18] ARM: reduce visibility of dmac_* functions Russell King
2015-07-27 12:29 ` Russell King [this message]
2015-07-27 12:29 ` [PATCH 05/18] iommu: tegra-smmu: factor out common pte setting Russell King
2015-07-27 12:29 ` [PATCH 06/18] iommu: tegra-smmu: add iova_pd_index() and iova_pt_index() helpers Russell King
2015-07-27 12:29 ` [PATCH 07/18] iommu: tegra-smmu: fix page table lookup in unmap/iova_to_phys methods Russell King
2015-07-27 12:29 ` [PATCH 08/18] iommu: tegra-smmu: store struct page pointer for page tables Russell King
2015-07-27 12:29 ` [PATCH 09/18] iommu: tegra-smmu: use kcalloc() to allocate counter array Russell King
2015-07-27 12:29 ` [PATCH 10/18] iommu: tegra-smmu: move flush_dcache to tegra-smmu.c Russell King
2015-07-27 12:29 ` [PATCH 11/18] iommu: tegra-smmu: split smmu_flush_ptc() Russell King
2015-07-27 12:29 ` [PATCH 12/18] iommu: tegra-smmu: smmu_flush_ptc() wants device address Russell King
2015-07-27 12:29 ` [PATCH 13/18] iommu: tegra-smmu: convert to use DMA API Russell King
2015-07-27 12:29 ` [PATCH 14/18] iommu: tegra-smmu: remove PageReserved manipulation Russell King
2015-07-27 12:30 ` [PATCH 15/18] iommu: tegra-smmu: use __GFP_ZERO to allocate zeroed pages Russell King
2015-07-27 12:30 ` [PATCH 16/18] iommu: tegra-smmu: get_use Russell King
[not found] ` <E1ZJhXj-0004CY-DQ-eh5Bv4kxaXIANfyc6IWni62ZND6+EDdj@public.gmane.org>
2015-07-27 14:11 ` Thierry Reding
2015-07-27 12:30 ` [PATCH 17/18] iommu: tegra-smmu: more cleanups Russell King
[not found] ` <E1ZJhXo-0004Ce-Hq-eh5Bv4kxaXIANfyc6IWni62ZND6+EDdj@public.gmane.org>
2015-07-27 14:12 ` Thierry Reding
2015-07-27 12:30 ` [PATCH 18/18] iommu: tegra-smmu: remove cacheflush.h Russell King
[not found] ` <E1ZJhXt-0004Ck-LR-eh5Bv4kxaXIANfyc6IWni62ZND6+EDdj@public.gmane.org>
2015-07-27 14:13 ` Thierry Reding
2015-07-27 13:13 ` [PATCH 00/18] Clean up exposure of arch-internal code Joerg Roedel
[not found] ` <20150727131313.GM10969-zLv9SwRftAIdnm+yROfE0A@public.gmane.org>
2015-07-27 14:45 ` Heiko Stübner
2015-07-27 14:09 ` Thierry Reding
[not found] ` <20150727140905.GA16858-AwZRO8vwLAwmlAP/+Wk3EA@public.gmane.org>
2015-07-27 14:16 ` Russell King - ARM Linux
[not found] ` <20150727141654.GI7557-l+eeeJia6m9vn6HldHNs0ANdhmdF6hFW@public.gmane.org>
2015-07-27 14:31 ` Thierry Reding
2015-08-03 11:33 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1ZJhWj-000477-OT@rmk-PC.arm.linux.org.uk \
--to=rmk+kernel-lfz/pmaqli7xmaaqvzeohq@public.gmane.org \
--cc=gnurou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=hdoyu-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org \
--cc=iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=joro-zLv9SwRftAIdnm+yROfE0A@public.gmane.org \
--cc=linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org \
--cc=linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=swarren-3lzwWm7+Weoh9ZMKESR00Q@public.gmane.org \
--cc=thierry.reding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox