system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-19 17:58:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers
History
Qian Cai 9ac8545199 iommu: Fix use-after-free in iommu_release_device 
In pci_disable_sriov(), i.e.,

 # echo 0 > /sys/class/net/enp11s0f1np1/device/sriov_numvfs

iommu_release_device
  iommu_group_remove_device
    arm_smmu_domain_free
      kfree(smmu_domain)

Later,

iommu_release_device
  arm_smmu_release_device
    arm_smmu_detach_dev
      spin_lock_irqsave(&smmu_domain->devices_lock,

would trigger an use-after-free. Fixed it by call
arm_smmu_release_device() first before iommu_group_remove_device().

 BUG: KASAN: use-after-free in __lock_acquire+0x3458/0x4440
  __lock_acquire at kernel/locking/lockdep.c:4250
 Read of size 8 at addr ffff0089df1a6f68 by task bash/3356

 CPU: 5 PID: 3356 Comm: bash Not tainted 5.8.0-rc3-next-20200630 #2
 Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS L50_5.13_1.11 06/18/2019
 Call trace:
  dump_backtrace+0x0/0x398
  show_stack+0x14/0x20
  dump_stack+0x140/0x1b8
  print_address_description.isra.12+0x54/0x4a8
  kasan_report+0x134/0x1b8
  __asan_report_load8_noabort+0x2c/0x50
  __lock_acquire+0x3458/0x4440
  lock_acquire+0x204/0xf10
  _raw_spin_lock_irqsave+0xf8/0x180
  arm_smmu_detach_dev+0xd8/0x4a0
  arm_smmu_detach_dev at drivers/iommu/arm-smmu-v3.c:2776
  arm_smmu_release_device+0xb4/0x1c8
  arm_smmu_disable_pasid at drivers/iommu/arm-smmu-v3.c:2754
  (inlined by) arm_smmu_release_device at drivers/iommu/arm-smmu-v3.c:3000
  iommu_release_device+0xc0/0x178
  iommu_release_device at drivers/iommu/iommu.c:302
  iommu_bus_notifier+0x118/0x160
  notifier_call_chain+0xa4/0x128
  __blocking_notifier_call_chain+0x70/0xa8
  blocking_notifier_call_chain+0x14/0x20
  device_del+0x618/0xa00
  pci_remove_bus_device+0x108/0x2d8
  pci_stop_and_remove_bus_device+0x1c/0x28
  pci_iov_remove_virtfn+0x228/0x368
  sriov_disable+0x8c/0x348
  pci_disable_sriov+0x5c/0x70
  mlx5_core_sriov_configure+0xd8/0x260 [mlx5_core]
  sriov_numvfs_store+0x240/0x318
  dev_attr_store+0x38/0x68
  sysfs_kf_write+0xdc/0x128
  kernfs_fop_write+0x23c/0x448
  __vfs_write+0x54/0xe8
  vfs_write+0x124/0x3f0
  ksys_write+0xe8/0x1b8
  __arm64_sys_write+0x68/0x98
  do_el0_svc+0x124/0x220
  el0_sync_handler+0x260/0x408
  el0_sync+0x140/0x180

 Allocated by task 3356:
  save_stack+0x24/0x50
  __kasan_kmalloc.isra.13+0xc4/0xe0
  kasan_kmalloc+0xc/0x18
  kmem_cache_alloc_trace+0x1ec/0x318
  arm_smmu_domain_alloc+0x54/0x148
  iommu_group_alloc_default_domain+0xc0/0x440
  iommu_probe_device+0x1c0/0x308
  iort_iommu_configure+0x434/0x518
  acpi_dma_configure+0xf0/0x128
  pci_dma_configure+0x114/0x160
  really_probe+0x124/0x6d8
  driver_probe_device+0xc4/0x180
  __device_attach_driver+0x184/0x1e8
  bus_for_each_drv+0x114/0x1a0
  __device_attach+0x19c/0x2a8
  device_attach+0x10/0x18
  pci_bus_add_device+0x70/0xf8
  pci_iov_add_virtfn+0x7b4/0xb40
  sriov_enable+0x5c8/0xc30
  pci_enable_sriov+0x64/0x80
  mlx5_core_sriov_configure+0x58/0x260 [mlx5_core]
  sriov_numvfs_store+0x1c0/0x318
  dev_attr_store+0x38/0x68
  sysfs_kf_write+0xdc/0x128
  kernfs_fop_write+0x23c/0x448
  __vfs_write+0x54/0xe8
  vfs_write+0x124/0x3f0
  ksys_write+0xe8/0x1b8
  __arm64_sys_write+0x68/0x98
  do_el0_svc+0x124/0x220
  el0_sync_handler+0x260/0x408
  el0_sync+0x140/0x180

 Freed by task 3356:
  save_stack+0x24/0x50
  __kasan_slab_free+0x124/0x198
  kasan_slab_free+0x10/0x18
  slab_free_freelist_hook+0x110/0x298
  kfree+0x128/0x668
  arm_smmu_domain_free+0xf4/0x1a0
  iommu_group_release+0xec/0x160
  kobject_put+0xf4/0x238
  kobject_del+0x110/0x190
  kobject_put+0x1e4/0x238
  iommu_group_remove_device+0x394/0x938
  iommu_release_device+0x9c/0x178
  iommu_release_device at drivers/iommu/iommu.c:300
  iommu_bus_notifier+0x118/0x160
  notifier_call_chain+0xa4/0x128
  __blocking_notifier_call_chain+0x70/0xa8
  blocking_notifier_call_chain+0x14/0x20
  device_del+0x618/0xa00
  pci_remove_bus_device+0x108/0x2d8
  pci_stop_and_remove_bus_device+0x1c/0x28
  pci_iov_remove_virtfn+0x228/0x368
  sriov_disable+0x8c/0x348
  pci_disable_sriov+0x5c/0x70
  mlx5_core_sriov_configure+0xd8/0x260 [mlx5_core]
  sriov_numvfs_store+0x240/0x318
  dev_attr_store+0x38/0x68
  sysfs_kf_write+0xdc/0x128
  kernfs_fop_write+0x23c/0x448
  __vfs_write+0x54/0xe8
  vfs_write+0x124/0x3f0
  ksys_write+0xe8/0x1b8
  __arm64_sys_write+0x68/0x98
  do_el0_svc+0x124/0x220
  el0_sync_handler+0x260/0x408
  el0_sync+0x140/0x180

 The buggy address belongs to the object at ffff0089df1a6e00
  which belongs to the cache kmalloc-512 of size 512
 The buggy address is located 360 bytes inside of
  512-byte region [ffff0089df1a6e00, ffff0089df1a7000)
 The buggy address belongs to the page:
 page:ffffffe02257c680 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0089df1a1400
 flags: 0x7ffff800000200(slab)
 raw: 007ffff800000200 ffffffe02246b8c8 ffffffe02257ff88 ffff000000320680
 raw: ffff0089df1a1400 00000000002a000e 00000001ffffffff ffff0089df1a5001
 page dumped because: kasan: bad access detected
 page->mem_cgroup:ffff0089df1a5001

 Memory state around the buggy address:
  ffff0089df1a6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff0089df1a6e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff0089df1a6f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
  ffff0089df1a6f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff0089df1a7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Fixes: a6a4c7e2c5 ("iommu: Add probe_device() and release_device() call-backs")
Signed-off-by: Qian Cai <cai@lca.pw>
Link: https://lore.kernel.org/r/20200704001003.2303-1-cai@lca.pw
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2020-07-09 17:19:10 +02:00
..
accessibility treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
acpi Merge branch 'acpi-sysfs' 2020-06-26 17:06:29 +02:00
amba ARM: tegra: Replace zero-length array with flexible-array 2020-06-15 23:08:28 -05:00
android binder: fix null deref of proc->context 2020-06-23 07:54:46 +02:00
ata libata-5.8-2020-06-19 2020-06-19 13:09:40 -07:00
atm treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
auxdisplay treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
base Power management fixes for 5.8-rc3 2020-06-26 12:32:11 -07:00
bcma
block block-5.8-2020-06-19 2020-06-19 13:11:26 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
bus Fixes for omaps for v5.8 2020-06-28 14:41:55 +02:00
cdrom Merge branch 'work.sysctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-06-10 16:05:54 -07:00
char Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
clk clk: sifive: allocate sufficient memory for struct __prci_data 2020-06-25 15:04:13 -07:00
clocksource clocksource/drivers/timer-riscv: Use per-CPU timer interrupt 2020-06-09 19:11:22 -07:00
connector treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
counter
cpufreq cpufreq: intel_pstate: Add one more OOB control bit 2020-06-23 17:24:32 +02:00
cpuidle cpuidle: Rearrange s2idle-specific idle state entry code 2020-06-25 13:52:53 +02:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2020-06-21 10:01:03 -07:00
dax device-dax: add memory via add_memory_driver_managed() 2020-06-04 19:06:23 -07:00
dca
devfreq
dio maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
dma dmaengine: tegra-apb: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
dma-buf treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
edac EDAC/amd64: Read back the scrub rate PCI register on F15h 2020-06-18 20:25:25 +02:00
eisa treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
extcon extcon: arizona: Fix runtime PM imbalance on error 2020-05-29 17:36:02 +09:00
firewire firewire: ohci: Replace zero-length array with flexible-array 2020-06-15 23:08:31 -05:00
firmware ARM: SoC fixes for v5.8 2020-06-28 14:55:18 -07:00
fpga FPGA Manager fixes for 5.8-rc1 2020-06-26 17:26:31 +02:00
fsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gnss treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
gpu Short summary of fixes pull (less than what git shortlog provides): 2020-06-26 13:49:17 +10:00
greybus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hid treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hsi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
hv hyperv-next for 5.8 2020-06-03 15:00:05 -07:00
hwmon Merge branch 'x86/entry' into ras/core 2020-06-11 15:17:57 +02:00
hwspinlock
hwtracing stm class: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
i2c i2c: core: check returned size of emulated smbus block read 2020-06-26 10:18:35 +02:00
i3c
ide treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
idle
iio treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
infiniband IB/hfi1: Add atomic triggered sleep/wakeup 2020-06-24 16:13:38 -03:00
input maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
interconnect More power management updates for 5.8-rc1 2020-06-10 14:04:39 -07:00
iommu iommu: Fix use-after-free in iommu_release_device 2020-07-09 17:19:10 +02:00
ipack treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
irqchip clocksource/drivers/timer-riscv: Use per-CPU timer interrupt 2020-06-09 19:11:22 -07:00
isdn treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
leds LEDs pull request for 5.8-rc1. 2020-06-04 11:03:45 -07:00
lightnvm for-5.8/block-2020-06-01 2020-06-02 15:29:19 -07:00
macintosh treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
mailbox mailbox: qcom: Add ipq6018 apcs compatible 2020-06-10 22:43:57 -05:00
mcb
md - Quite a few DM zoned target fixes and a Zone append fix in DM core. 2020-06-27 08:57:16 -07:00
media media: omap3isp: remove cacheflush.h 2020-06-26 00:27:37 -07:00
memory
memstick
message scsi: mptscsih: Fix read sense data size 2020-06-24 00:23:17 -04:00
mfd mfd: mt6360: Fix register driver NULL pointer by adding driver name 2020-06-16 09:32:43 +01:00
misc habanalabs: increase h/w timer when checking idle 2020-06-24 12:35:23 +03:00
mmc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
most
mtd This pull request contains a single change for UBI: 2020-06-10 13:24:40 -07:00
mux
net wil6210: account for napi_gro_receive never returning GRO_DROP 2020-06-25 16:16:21 -07:00
nfc treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-05 20:02:09 -04:00
nubus
nvdimm nvdimm/region: always show the 'align' attribute 2020-06-17 14:08:31 -07:00
nvme nvme-multipath: fix bogus request queue reference put 2020-06-24 18:41:20 +02:00
nvmem
of of: of_mdio: Correct loop scanning logic 2020-06-19 13:39:00 -07:00
opp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
oprofile oprofile: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
parisc
parport treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pci Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pcmcia treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
perf arm64 merge window fixes for -rc1 2020-06-11 12:53:23 -07:00
phy phy: samsung: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
pinctrl pinctrl: single: fix function name in documentation 2020-06-20 22:41:32 +02:00
platform Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pnp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
power power supply and reset changes for the v5.8 series 2020-06-10 11:28:35 -07:00
powercap Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
pps treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
ps3
ptp treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
pwm pwm: Add missing "CONFIG_" prefix 2020-06-04 19:09:28 +02:00
rapidio rapidio: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
ras
regulator regulator: mt6358: Remove BROKEN dependency 2020-06-17 13:01:19 +01:00
remoteproc remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
reset Char/Misc driver patches for 5.8-rc1 2020-06-07 10:59:32 -07:00
rpmsg remoteproc updates for v5.8 2020-06-08 13:01:08 -07:00
rtc RTC for 5.8 2020-06-07 16:11:23 -07:00
s390 SCSI fixes on 20200627 2020-06-27 15:20:03 -07:00
sbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
scsi scsi: lpfc: Avoid another null dereference in lpfc_sli4_hba_unset() 2020-06-23 23:56:52 -04:00
sfi treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
sh
siox
slimbus
soc ARM: OMAP fixes for v5.8 2020-06-28 14:57:14 -07:00
soundwire
spi spi: Fixes for v5.8 2020-06-22 09:49:59 -07:00
spmi
ssb
staging Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() 2020-06-16 21:25:38 +02:00
target Kbuild updates for v5.8 (2nd) 2020-06-13 13:29:16 -07:00
tc
tee mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
thermal - Add the hwmon support on the i.MX SC (Anson Huang) 2020-06-12 14:10:21 -07:00
thunderbolt USB/PHY driver updates for 5.8-rc1 2020-06-07 09:42:16 -07:00
tty kdb: Switch to use safer dbg_io_ops over console APIs 2020-06-26 15:40:16 +01:00
uio
usb USB fixes for 5.8-rc3 2020-06-27 13:12:10 -07:00
vdpa vdpa: fix typos in the comments for __vdpa_alloc_device() 2020-06-22 12:34:21 -04:00
vfio vfio/pci: Fix SR-IOV VF handling with MMIO blocking 2020-06-25 11:04:23 -06:00
vhost tools/virtio: Add --reset 2020-06-22 12:34:21 -04:00
video Short summary of fixes pull (less than what git shortlog provides): 2020-06-26 13:49:17 +10:00
virt treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
virtio virtio-mem: add memory via add_memory_driver_managed() 2020-06-22 12:34:21 -04:00
visorbus treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
vlynq
vme treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
w1 w1: Replace zero-length array with flexible-array 2020-06-15 23:08:32 -05:00
watchdog treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
xen The X86 entry, exception and interrupt code rework 2020-06-13 10:05:47 -07:00
zorro treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Kconfig
Makefile