Re: [PATCH] iommu/dma: limit iova free size to unmmaped iova
From: Robin Murphy
Date: Thu May 21 2020 - 16:16:34 EST
On 2020-05-21 12:30, Prakash Gupta wrote:
Limit the iova size while freeing based on unmapped size. In absence of
this even with unmap failure, invalid iova is pushed to iova rcache and
subsequently can cause panic while rcache magazine is freed.
Can you elaborate on that panic?
Signed-off-by: Prakash Gupta <guptap@xxxxxxxxxxxxxx>
:100644 100644 4959f5df21bd 098f7d377e04 M drivers/iommu/dma-iommu.c
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index 4959f5df21bd..098f7d377e04 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -472,7 +472,8 @@ static void __iommu_dma_unmap(struct device *dev, dma_addr_t dma_addr,
if (!cookie->fq_domain)
iommu_tlb_sync(domain, &iotlb_gather);
- iommu_dma_free_iova(cookie, dma_addr, size);
+ if (unmapped)
+ iommu_dma_free_iova(cookie, dma_addr, unmapped);
Frankly, if any part of the unmap fails then things have gone
catastrophically wrong already, but either way this isn't right. The
IOVA API doesn't support partial freeing - an IOVA *must* be freed with
its original size, or not freed at all, otherwise it will corrupt the
state of the rcaches and risk a cascade of further misbehaviour for
future callers.
TBH my gut feeling here is that you're really just trying to treat a
symptom of another bug elsewhere, namely some driver calling dma_unmap_*
or dma_free_* with the wrong address or size in the first place.
Robin.
}
static dma_addr_t __iommu_dma_map(struct device *dev, phys_addr_t phys,