[PATCH 3.4 02/30] intel-iommu: fix off-by-one in pagetable freeing

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Alex Williamson <alex.williamson@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Joerg Roedel <joro@8bytes.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.4 02/30] intel-iommu: fix off-by-one in pagetable freeing
Date: Tue, 11 Feb 2014 11:06:02 -0800	[thread overview]
Message-ID: <20140211184647.221708369@linuxfoundation.org> (raw)
In-Reply-To: <20140211184647.149512538@linuxfoundation.org>

3.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Williamson <alex.williamson@redhat.com>

commit 08336fd218e087cc4fcc458e6b6dcafe8702b098 upstream.

dma_pte_free_level() has an off-by-one error when checking whether a pte
is completely covered by a range.  Take for example the case of
attempting to free pfn 0x0 - 0x1ff, ie.  512 entries covering the first
2M superpage.

The level_size() is 0x200 and we test:

  static void dma_pte_free_level(...
	...

	if (!(0 > 0 || 0x1ff < 0 + 0x200)) {
		...
	}

Clearly the 2nd test is true, which means we fail to take the branch to
clear and free the pagetable entry.  As a result, we're leaking
pagetables and failing to install new pages over the range.

This was found with a PCI device assigned to a QEMU guest using vfio-pci
without a VGA device present.  The first 1M of guest address space is
mapped with various combinations of 4K pages, but eventually the range
is entirely freed and replaced with a 2M contiguous mapping.
intel-iommu errors out with something like:

  ERROR: DMA PTE for vPFN 0x0 already set (to 5c2b8003 not 849c00083)

In this case 5c2b8003 is the pointer to the previous leaf page that was
neither freed nor cleared and 849c00083 is the superpage entry that
we're trying to replace it with.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Joerg Roedel <joro@8bytes.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iommu/intel-iommu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -913,7 +913,7 @@ static void dma_pte_free_level(struct dm

 		/* If range covers entire pagetable, free it */
 		if (!(start_pfn > level_pfn ||
-		      last_pfn < level_pfn + level_size(level))) {
+		      last_pfn < level_pfn + level_size(level) - 1)) {
 			dma_clear_pte(pte);
 			domain_flush_cache(domain, pte, sizeof(*pte));
 			free_pgtable_page(level_pte);

next prev parent reply	other threads:[~2014-02-11 19:06 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-11 19:06 [PATCH 3.4 00/30] 3.4.80-stable review Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 01/30] SELinux: Fix memory leak upon loading policy Greg Kroah-Hartman
2014-02-11 19:06 ` Greg Kroah-Hartman [this message]
2014-02-11 19:06 ` [PATCH 3.4 03/30] audit: correct a type mismatch in audit_syscall_exit() Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 04/30] mmc: atmel-mci: fix timeout errors in SDIO mode when using DMA Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 05/30] slub: Fix calculation of cpu slabs Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 07/30] ACPI / init: Flag use of ACPI and ACPI idioms for power supplies to regulator API Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 08/30] mtd: mxc_nand: remove duplicated ecc_stats counting Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 09/30] ore: Fix wrong math in allocation of per device BIO Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 10/30] IB/qib: Fix QP check when looping back to/from QP1 Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 11/30] spidev: fix hang when transfer_one_message fails Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 12/30] NFSv4: OPEN must handle the NFS4ERR_IO return code correctly Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 13/30] nfs4.1: properly handle ENOTSUP in SECINFO_NO_NAME Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 14/30] sunrpc: Fix infinite loop in RPC state machine Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 15/30] dm: wait until embedded kobject is released before destroying a device Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 16/30] dm space map common: make sure new space is used during extend Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 20/30] drm/radeon: set the full cache bit for fences on r7xx+ Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 21/30] drm/radeon/DCE4+: clear bios scratch dpms bit (v2) Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 22/30] PCI: Enable ARI if dev and upstream bridge support it; disable otherwise Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 23/30] hpfs: deadlock and race in directory lseek() Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 24/30] sched/rt: Fix SCHED_RR across cgroups Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 25/30] sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 26/30] sched: Unthrottle rt runqueues in __disable_runtime() Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 27/30] sched/rt: Avoid updating RT entry timeout twice within one tick period Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 28/30] rtc-cmos: Add an alarm disable quirk Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 29/30] timekeeping: Avoid possible deadlock from clock_was_set_delayed Greg Kroah-Hartman
2014-02-11 19:06 ` [PATCH 3.4 30/30] 3.4.y: timekeeping: fix 32-bit overflow in get_monotonic_boottime Greg Kroah-Hartman
2014-02-12  4:19 ` [PATCH 3.4 00/30] 3.4.80-stable review Guenter Roeck
2014-02-12 18:55   ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140211184647.221708369@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=alex.williamson@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=joro@8bytes.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).