From: Jason Gunthorpe <jgg@nvidia.com>
To: iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
Robin Murphy <robin.murphy@arm.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Will Deacon <will@kernel.org>
Cc: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>,
Joao Martins <joao.m.martins@oracle.com>,
Joerg Roedel <jroedel@suse.de>,
patches@lists.linux.dev, Vasant Hegde <vasant.hegde@amd.com>
Subject: [PATCH 04/14] iommu/amd: Remove amd_iommu_domain_update() from page table freeing
Date: Wed, 21 Aug 2024 14:37:10 -0300 [thread overview]
Message-ID: <4-v1-cdaaddf80abb+14190-amd_iopgtbl_jgg@nvidia.com> (raw)
In-Reply-To: <0-v1-cdaaddf80abb+14190-amd_iopgtbl_jgg@nvidia.com>
It is a serious bug if the domain is still mapped to any DTEs when it is
freed as we immediately start freeing page table memory, so any remaining
HW touch will UAF.
If it is not mapped then dev_list is empty and amd_iommu_domain_update()
does nothing.
Remove it and add a WARN_ON() to catch this class of bug.
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
drivers/iommu/amd/io_pgtable.c | 3 ---
drivers/iommu/amd/iommu.c | 2 ++
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c
index 05aed3cb46f1bf..b3991ad1ae8ea3 100644
--- a/drivers/iommu/amd/io_pgtable.c
+++ b/drivers/iommu/amd/io_pgtable.c
@@ -578,9 +578,6 @@ static void v1_free_pgtable(struct io_pgtable *iop)
/* Update data structure */
amd_iommu_domain_clr_pt_root(dom);
-
- /* Make changes visible to IOMMUs */
- amd_iommu_domain_update(dom);
}
static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *cookie)
diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index e53ffb86c3d09b..426aecacc63009 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -2260,6 +2260,8 @@ void protection_domain_free(struct protection_domain *domain)
if (!domain)
return;
+ WARN_ON(!list_empty(&domain->dev_list));
+
if (domain->iop.pgtbl_cfg.tlb)
free_io_pgtable_ops(&domain->iop.iop.ops);
--
2.46.0
next prev parent reply other threads:[~2024-08-21 17:37 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-21 17:37 [PATCH 00/14] Minor fixups and refactorings for AMD's io-pgtable code Jason Gunthorpe
2024-08-21 17:37 ` [PATCH 01/14] iommu/amd: Move allocation of the top table into v1_alloc_pgtable Jason Gunthorpe
2024-08-23 9:26 ` Joerg Roedel
2024-08-23 12:14 ` Jason Gunthorpe
2024-08-28 6:22 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 02/14] iommu/amd: Allocate the page table root using GFP_KERNEL Jason Gunthorpe
2024-08-27 14:38 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 03/14] iommu/amd: Set the pgsize_bitmap correctly Jason Gunthorpe
2024-08-28 6:26 ` Vasant Hegde
2024-08-21 17:37 ` Jason Gunthorpe [this message]
2024-08-28 6:26 ` [PATCH 04/14] iommu/amd: Remove amd_iommu_domain_update() from page table freeing Vasant Hegde
2024-08-21 17:37 ` [PATCH 05/14] iommu/amd: Remove the amd_iommu_domain_set_pt_root() and related Jason Gunthorpe
2024-08-28 6:27 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 06/14] iommu/amd: Rename struct amd_io_pgtable iopt to pgtbl Jason Gunthorpe
2024-08-28 6:28 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 07/14] iommu/amd: Remove amd_io_pgtable::pgtbl_cfg Jason Gunthorpe
2024-08-28 6:37 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 08/14] iommu/amd: Store the nid in io_pgtable_cfg instead of the domain Jason Gunthorpe
2024-08-28 6:39 ` Vasant Hegde
2024-08-28 18:13 ` Jason Gunthorpe
2024-08-29 10:47 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 09/14] iommu/amd: Narrow the use of struct protection_domain to invalidation Jason Gunthorpe
2024-08-21 17:37 ` [PATCH 10/14] iommu/amd: Remove conditions from domain free paths Jason Gunthorpe
2024-08-28 6:56 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 11/14] iommu/amd: Fix typo of , instead of ; Jason Gunthorpe
2024-08-28 6:39 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 12/14] iommu/amd: Remove the confusing dummy iommu_flush_ops tlb ops Jason Gunthorpe
2024-08-28 6:42 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 13/14] iommu/amd: Correct the reported page sizes from the V1 table Jason Gunthorpe
2024-08-28 13:50 ` Vasant Hegde
2024-08-21 17:37 ` [PATCH 14/14] iommu/amd: Do not set the D bit on AMD v2 table entries Jason Gunthorpe
2024-08-28 6:41 ` Vasant Hegde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4-v1-cdaaddf80abb+14190-amd_iopgtbl_jgg@nvidia.com \
--to=jgg@nvidia.com \
--cc=alejandro.j.jimenez@oracle.com \
--cc=iommu@lists.linux.dev \
--cc=joao.m.martins@oracle.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=patches@lists.linux.dev \
--cc=robin.murphy@arm.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=vasant.hegde@amd.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox