RE: [PATCH 1/1] iommu/vtd: Fix NULL pointer dereference in prq_event_thread()
From: Liu, Yi L
Date: Mon Nov 05 2018 - 02:12:03 EST
> From: Lu Baolu [mailto:baolu.lu@xxxxxxxxxxxxxxx]
> Sent: Monday, November 5, 2018 1:45 PM
> To: Liu, Yi L <yi.l.liu@xxxxxxxxx>; Joerg Roedel <joro@xxxxxxxxxx>; David
> Woodhouse <dwmw2@xxxxxxxxxxxxx>
> Cc: baolu.lu@xxxxxxxxxxxxxxx; Raj, Ashok <ashok.raj@xxxxxxxxx>; linux-
> kernel@xxxxxxxxxxxxxxx; iommu@xxxxxxxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [PATCH 1/1] iommu/vtd: Fix NULL pointer dereference in
> prq_event_thread()
>
> Hi Yi,
>
> On 11/5/18 1:21 PM, Liu, Yi L wrote:
> > Hi Baolu,
> >
> >> From: iommu-bounces@xxxxxxxxxxxxxxxxxxxxxxxxxx [mailto:iommu-
> >> bounces@xxxxxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Lu Baolu
> >> Sent: Monday, November 5, 2018 10:19 AM
> >> To: Joerg Roedel <joro@xxxxxxxxxx>; David Woodhouse
> >> <dwmw2@xxxxxxxxxxxxx>
> >> Cc: Raj, Ashok <ashok.raj@xxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx;
> >> iommu@xxxxxxxxxxxxxxxxxxxxxxxxxx
> >> Subject: [PATCH 1/1] iommu/vtd: Fix NULL pointer dereference in
> >> prq_event_thread()
> >>
> >> When handling page request without pasid event, go to "no_pasid"
> >> branch instead of "bad_req". Otherwise, a NULL pointer deference will happen
> there.
> >>
> >> Cc: Ashok Raj <ashok.raj@xxxxxxxxx>
> >> Cc: Jacob Pan <jacob.jun.pan@xxxxxxxxxxxxxxx>
> >> Cc: Sohil Mehta <sohil.mehta@xxxxxxxxx>
> >> Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
> >> ---
> >> drivers/iommu/intel-svm.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> >> index
> >> db301efe126d..887150907526 100644
> >> --- a/drivers/iommu/intel-svm.c
> >> +++ b/drivers/iommu/intel-svm.c
> >> @@ -595,7 +595,7 @@ static irqreturn_t prq_event_thread(int irq, void *d)
> >> pr_err("%s: Page request without PASID: %08llx %08llx\n",
> >> iommu->name, ((unsigned long long *)req)[0],
> >> ((unsigned long long *)req)[1]);
> >> - goto bad_req;
> >> + goto no_pasid;
> >> }
> >>
> >> if (!svm || svm->pasid != req->pasid) {
> >> --
> >
> > I'm afraid it is still necessary to goto "bad_req". The following code
> > behind "bad_req" will trigger fault_cb registered by in-kernel
> > drivers. It is reasonable that PRQ without PASID can be handled by
> > such callbacks. So I would suggest to keep the existing logic.
>
> A page fault without a pasid is triggered by a DMA transfer without PASID. It doesn't
> relate to the SVM functionality hence there's no @svm or @sdev related to it. It's
> unnecessary to report it to the drivers as far as I can see.
Yeah, a PRQ without PASID has no corresponding svm or sdev structure. Regards to this
fact, it's acceptable for this fix. In long term, it might be helpful to refine the PRQ event
handler to cover PRQ without PASID. I guess Jacob's fault report framework may help.
+Jacob
Regards,
Yi Liu