On Thu, Apr 14, 2022 at 06:08:09PM +0800, [email protected] wrote: > > On 2022/4/12 下午11:35, [email protected] wrote: > > Hi, Fenghua > > > > On 2022/4/12 下午9:41, Fenghua Yu wrote: > > > Hi, Zhangfei, > > > > > > On Tue, Apr 12, 2022 at 03:04:09PM +0800, [email protected] > > > wrote: > > > > > > > > On 2022/4/11 下午10:52, Dave Hansen wrote: > > > > > On 4/11/22 07:44, [email protected] wrote: > > > > > > On 2022/4/11 下午10:36, Dave Hansen wrote: > > > > > > > On 4/11/22 07:20, [email protected] wrote: > > Agree with Dave, I think user space should not be broken. > > > > Thanks > > Any plan about this regression? > Currently I need this patch to workaround the issue. > > diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c > b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c > index 22ddd05bbdcd..2d74ac53d11c 100644 > --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c > +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c > @@ -4,6 +4,7 @@ > */ > > #include <linux/mm.h> > +#include <linux/sched/mm.h> > #include <linux/mmu_context.h> > #include <linux/mmu_notifier.h> > #include <linux/slab.h> > @@ -363,6 +364,7 @@ arm_smmu_sva_bind(struct device *dev, struct mm_struct > *mm, void *drvdata) > > mutex_lock(&sva_lock); > handle = __arm_smmu_sva_bind(dev, mm); > + mmget(mm); > mutex_unlock(&sva_lock); > return handle; > } > @@ -377,6 +379,7 @@ void arm_smmu_sva_unbind(struct iommu_sva *handle) > arm_smmu_mmu_notifier_put(bond->smmu_mn); > kfree(bond); > } > + mmput(bond->mm); > mutex_unlock(&sva_lock); > }
Could you please review and/or test this patch? It's supposed to fix the PASID issue on both ARM and X86. From a6444e1e5bd8076f5e5c5e950d3192de327f0c9c Mon Sep 17 00:00:00 2001 From: Fenghua Yu <[email protected]> Date: Fri, 15 Apr 2022 00:51:33 -0700 Subject: [RFC PATCH] iommu/sva: Fix PASID use-after-free issue A PASID might be still used even though it is freed on mm exit. process A: sva_bind(); ioasid_alloc() = N; // Get PASID N for the mm fork(): // spawn process B exit(); ioasid_free(N); process B: device uses PASID N -> failure sva_unbind(); Dave Hansen suggests to take a refcount on the mm whenever binding the PASID to a device and drop the refcount on unbinding. The mm won't be dropped if the PASID is still bound to it. Fixes: 701fac40384f ("iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit") Reported-by: Zhangfei Gao <[email protected]> Suggested-by: Dave Hansen" <[email protected]> Signed-off-by: Fenghua Yu <[email protected]> --- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 ++++++ drivers/iommu/intel/svm.c | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c index 22ddd05bbdcd..3fcb842a0df0 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c @@ -7,6 +7,7 @@ #include <linux/mmu_context.h> #include <linux/mmu_notifier.h> #include <linux/slab.h> +#include <linux/sched/mm.h> #include "arm-smmu-v3.h" #include "../../iommu-sva-lib.h" @@ -363,6 +364,9 @@ arm_smmu_sva_bind(struct device *dev, struct mm_struct *mm, void *drvdata) mutex_lock(&sva_lock); handle = __arm_smmu_sva_bind(dev, mm); + /* Take an mm refcount on a successful bind. */ + if (!IS_ERR(handle)) + mmget(mm); mutex_unlock(&sva_lock); return handle; } @@ -372,6 +376,8 @@ void arm_smmu_sva_unbind(struct iommu_sva *handle) struct arm_smmu_bond *bond = sva_to_bond(handle); mutex_lock(&sva_lock); + /* Drop an mm refcount. */ + mmput(bond->mm); if (refcount_dec_and_test(&bond->refs)) { list_del(&bond->list); arm_smmu_mmu_notifier_put(bond->smmu_mn); diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c index 23a38763c1d1..345a0d5d7922 100644 --- a/drivers/iommu/intel/svm.c +++ b/drivers/iommu/intel/svm.c @@ -403,6 +403,8 @@ static struct iommu_sva *intel_svm_bind_mm(struct intel_iommu *iommu, goto free_sdev; list_add_rcu(&sdev->list, &svm->devs); + /* Take an mm refcount on binding mm. */ + mmget(mm); success: return &sdev->sva; @@ -465,6 +467,8 @@ static int intel_svm_unbind_mm(struct device *dev, u32 pasid) kfree(svm); } } + /* Drop an mm reference on unbinding mm. */ + mmput(mm); } out: return ret; -- 2.32.0 _______________________________________________ iommu mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/iommu
