From: Pengfei Xu <pengfei.xu@intel.com>
To: Nicolin Chen <nicolinc@nvidia.com>
Cc: <jgg@nvidia.com>, <kevin.tian@intel.com>, <yi.l.liu@intel.com>,
<iommu@lists.linux.dev>, <heng.su@intel.com>, <lkp@intel.com>
Subject: Re: [Syzkaller & bisect] There is WARNING in iopt_remove_access in upstream patch "iommufd/selftest: Add IOMMU_TEST_OP_ACCESS_REPLACE_IOAS coverage"
Date: Sun, 25 Jun 2023 17:30:32 +0800 [thread overview]
Message-ID: <ZJgJOClwU+d78rji@xpf.sh.intel.com> (raw)
In-Reply-To: <ZJYYWz2wy/86FapK@Asurada-Nvidia>
Hi Nicolin,
On 2023-06-23 at 15:10:35 -0700, Nicolin Chen wrote:
> Hi Pengfei,
>
> On Thu, Jun 15, 2023 at 10:23:09AM +0800, Pengfei Xu wrote:
>
> > Hi Nicolin,
> >
> > Greeting!
> >
> > There is WARNING in iopt_remove_access in related patch:
> > https://lore.kernel.org/lkml/e93964b04d5b0f45344931fcae0e8696dd649988.1683593831.git.nicolinc@nvidia.com/#t
> >
> > I tested Intel internal kernel and syzkaller found this issue by accident,
> > I checked that internal commit:"e93964b04d5b iommufd/selftest: Add
> > IOMMU_TEST_OP_ACCESS_REPLACE_IOAS coverage" was same as above link patch.
> >
> > It seems that syzkaller accidentally filled the syscall mutating parameter
> > during a long fuzzing time and discovered this issue:
> > " *(uint32_t*)0x20000004 = 0xb; // IOMMU_TEST_OP_ACCESS_REPLACE_IOAS=0xb"
> > https://github.com/xupengfe/syzkaller_logs/blob/210a8d4069655735cc2bc2756981a944857a734c/230614_070652_iopt_remove_access/repro.c#LL187C3-L187C32
> >
> > All analysis and detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/230614_070652_iopt_remove_access
> > Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230614_070652_iopt_remove_access/repro.c
> > Syzkaller syscall reproduced steps: https://github.com/xupengfe/syzkaller_logs/blob/main/230614_070652_iopt_remove_access/repro.prog
> > Kconfig: https://raw.githubusercontent.com/xupengfe/syzkaller_logs/main/230614_070652_iopt_remove_access/kconfig_origin
> > Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230614_070652_iopt_remove_access/bisect_info.log
> > Reproduced bzimage: https://github.com/xupengfe/syzkaller_logs/blob/main/230614_070652_iopt_remove_access/bzImage_e93964b04d5b0f45344931fcae0e8696dd649988.xz
> > e93964b04d5b reproduced dmesg: https://raw.githubusercontent.com/xupengfe/syzkaller_logs/main/230614_070652_iopt_remove_access/e93964b04d5b0f45344931fcae0e8696dd64998_dmesg.log
> >
> > I hope it's helpful.
>
> Thanks for the report!
>
> It turns out to be a bug in the new iommufd_access_change_pt()
> that does iopt_add_access() prior to __iommufd_access_detach().
> However, iopt_add_access() overrides access->iopt_access_list_id
> being read by the following __iommufd_access_detach(). Thus, it
> triggers the WARNING.
Thanks a lot for your analysis and fixed patch!
I have installed your below patch on top of previous reproduced kernel.
And ran the reproduced binary in previous VM more than 1 hour, this issue
could not be reproduced, result show that it's fixed.
The bzImage with below patch is in link:
https://github.com/xupengfe/syzkaller_logs/blob/main/230614_070652_iopt_remove_access/bzImage_fix.gz
Thanks!
Best Regards,
Pengfei
>
> A fix could be like this (will integrate in the next version)
> -------------------------------------------------------------------------------
> diff --git a/drivers/iommu/iommufd/device.c b/drivers/iommu/iommufd/device.c
> index a106f7c655d6..98fab19b92b9 100644
> --- a/drivers/iommu/iommufd/device.c
> +++ b/drivers/iommu/iommufd/device.c
> @@ -796,6 +796,7 @@ EXPORT_SYMBOL_NS_GPL(iommufd_access_detach, IOMMUFD);
>
> static int iommufd_access_change_pt(struct iommufd_access *access, u32 ioas_id)
> {
> + struct iommufd_ioas *cur_ioas = access->ioas;
> struct iommufd_ioas *new_ioas;
> int rc;
>
> @@ -805,15 +806,20 @@ static int iommufd_access_change_pt(struct iommufd_access *access, u32 ioas_id)
> if (IS_ERR(new_ioas))
> return PTR_ERR(new_ioas);
>
> + if (cur_ioas)
> + __iommufd_access_detach(access);
> +
> rc = iopt_add_access(&new_ioas->iopt, access);
> if (rc) {
> iommufd_put_object(&new_ioas->obj);
> + if (cur_ioas) {
> + WARN_ON(iommufd_access_change_pt(access,
> + cur_ioas->obj.id));
> + }
> return rc;
> }
> iommufd_ref_to_users(&new_ioas->obj);
>
> - if (access->ioas)
> - __iommufd_access_detach(access);
> access->ioas = new_ioas;
> access->ioas_unpin = new_ioas;
> return 0;
> -------------------------------------------------------------------------------
>
> Thanks
> Nicolin
next prev parent reply other threads:[~2023-06-25 9:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-15 2:23 [Syzkaller & bisect] There is WARNING in iopt_remove_access in upstream patch "iommufd/selftest: Add IOMMU_TEST_OP_ACCESS_REPLACE_IOAS coverage" Pengfei Xu
2023-06-23 22:10 ` Nicolin Chen
2023-06-25 9:30 ` Pengfei Xu [this message]
2023-06-25 18:55 ` Nicolin Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZJgJOClwU+d78rji@xpf.sh.intel.com \
--to=pengfei.xu@intel.com \
--cc=heng.su@intel.com \
--cc=iommu@lists.linux.dev \
--cc=jgg@nvidia.com \
--cc=kevin.tian@intel.com \
--cc=lkp@intel.com \
--cc=nicolinc@nvidia.com \
--cc=yi.l.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox