From: Jason Gunthorpe <jgg@nvidia.com>
To: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, pavel@denx.de, cengiz.can@canonical.com,
mheyne@amazon.de, mngyadam@amazon.com, kuntal.nayak@broadcom.com,
ajay.kaher@broadcom.com, zsm@chromium.org,
dan.carpenter@linaro.org, shivani.agarwal@broadcom.com,
Nicolin Chen <nicolinc@nvidia.com>,
Kevin Tian <kevin.tian@intel.com>,
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Subject: Re: [PATCH RFC 6.6.y 09/15] iommufd: Fix protection fault in iommufd_test_syz_conv_iova
Date: Wed, 2 Oct 2024 12:16:28 -0300 [thread overview]
Message-ID: <20241002151628.GS1365916@nvidia.com> (raw)
In-Reply-To: <20241002150606.11385-10-vegard.nossum@oracle.com>
On Wed, Oct 02, 2024 at 05:06:00PM +0200, Vegard Nossum wrote:
> From: Nicolin Chen <nicolinc@nvidia.com>
>
> [ Upstream commit cf7c2789822db8b5efa34f5ebcf1621bc0008d48 ]
>
> Syzkaller reported the following bug:
>
> general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
> Call Trace:
> lock_acquire
> lock_acquire+0x1ce/0x4f0
> down_read+0x93/0x4a0
> iommufd_test_syz_conv_iova+0x56/0x1f0
> iommufd_test_access_rw.isra.0+0x2ec/0x390
> iommufd_test+0x1058/0x1e30
> iommufd_fops_ioctl+0x381/0x510
> vfs_ioctl
> __do_sys_ioctl
> __se_sys_ioctl
> __x64_sys_ioctl+0x170/0x1e0
> do_syscall_x64
> do_syscall_64+0x71/0x140
>
> This is because the new iommufd_access_change_ioas() sets access->ioas to
> NULL during its process, so the lock might be gone in a concurrent racing
> context.
>
> Fix this by doing the same access->ioas sanity as iommufd_access_rw() and
> iommufd_access_pin_pages() functions do.
>
> Cc: stable@vger.kernel.org
> Fixes: 9227da7816dd ("iommufd: Add iommufd_access_change_ioas(_id) helpers")
> Link: https://lore.kernel.org/r/3f1932acaf1dd494d404c04364d73ce8f57f3e5e.1708636627.git.nicolinc@nvidia.com
> Reported-by: Jason Gunthorpe <jgg@nvidia.com>
> Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
> Reviewed-by: Kevin Tian <kevin.tian@intel.com>
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> (cherry picked from commit cf7c2789822db8b5efa34f5ebcf1621bc0008d48)
> [Harshit: CVE-2024-26785; Resolve conflicts due to missing commit:
> bd7a282650b8 ("iommufd: Add iommufd_ctx to iommufd_put_object()") in
> 6.6.y]
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
> Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
> ---
> drivers/iommu/iommufd/selftest.c | 27 +++++++++++++++++++++------
> 1 file changed, 21 insertions(+), 6 deletions(-)
This is only fixing the test suite and does not effect a
production kernel where this code should not be compiled.
Jason
next prev parent reply other threads:[~2024-10-02 15:16 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 15:05 [PATCH RFC 6.6.y 00/15] Some missing CVE fixes Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 01/15] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Vegard Nossum
2024-10-02 16:26 ` Dan Carpenter
2024-10-02 16:29 ` Dan Carpenter
2024-10-05 0:45 ` Sasha Levin
2024-10-02 15:05 ` [PATCH RFC 6.6.y 02/15] media: usbtv: Remove useless locks in usbtv_video_free() Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 03/15] Bluetooth: hci_sock: Fix not validating setsockopt user input Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 04/15] Bluetooth: ISO: " Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 05/15] Bluetooth: L2CAP: " Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 06/15] netfilter: nf_tables: fix memleak in map from abort path Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 07/15] netfilter: nf_tables: restore set elements when delete set fails Vegard Nossum
2024-10-02 15:05 ` [PATCH RFC 6.6.y 08/15] net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Vegard Nossum
2024-10-02 15:06 ` [PATCH RFC 6.6.y 09/15] iommufd: Fix protection fault in iommufd_test_syz_conv_iova Vegard Nossum
2024-10-02 15:16 ` Jason Gunthorpe [this message]
2024-10-02 15:06 ` [PATCH RFC 6.6.y 10/15] drm/bridge: adv7511: fix crash on irq during probe Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 11/15] efi/unaccepted: touch soft lockup during memory accept Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 12/15] platform/x86: think-lmi: Fix password opcode ordering for workstations Vegard Nossum
2024-10-04 1:00 ` Mark Pearson
2024-10-02 15:12 ` [PATCH RFC 6.6.y 13/15] null_blk: Remove usage of the deprecated ida_simple_xx() API Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 14/15] null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' Vegard Nossum
2024-10-02 15:12 ` [PATCH RFC 6.6.y 15/15] net: stmmac: move the EST lock to struct stmmac_priv Vegard Nossum
2024-10-02 15:26 ` [PATCH RFC 6.6.y 00/15] Some missing CVE fixes Jens Axboe
2024-10-02 15:46 ` Vegard Nossum
2024-10-02 15:49 ` Jens Axboe
2024-10-08 11:19 ` Pavel Machek
2024-10-08 11:24 ` Greg Kroah-Hartman
2024-10-08 11:40 ` Pavel Machek
2024-10-08 11:51 ` Greg Kroah-Hartman
2024-10-02 15:50 ` Dan Carpenter
2024-10-02 15:54 ` Jens Axboe
2024-10-08 11:16 ` Pavel Machek
2024-10-08 11:24 ` Greg Kroah-Hartman
2024-10-08 11:35 ` Pavel Machek
2024-10-08 11:44 ` Greg Kroah-Hartman
2024-10-08 11:56 ` Christian Heusel
2024-10-08 12:33 ` Pavel Machek
2024-10-08 13:02 ` Greg Kroah-Hartman
2024-10-02 19:43 ` Pablo Neira Ayuso
2024-10-08 10:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241002151628.GS1365916@nvidia.com \
--to=jgg@nvidia.com \
--cc=ajay.kaher@broadcom.com \
--cc=cengiz.can@canonical.com \
--cc=dan.carpenter@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=harshit.m.mogalapalli@oracle.com \
--cc=kevin.tian@intel.com \
--cc=kuntal.nayak@broadcom.com \
--cc=mheyne@amazon.de \
--cc=mngyadam@amazon.com \
--cc=nicolinc@nvidia.com \
--cc=pavel@denx.de \
--cc=shivani.agarwal@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=vegard.nossum@oracle.com \
--cc=zsm@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).