forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Alex Williamson d200964e4d vfio/type1: Add proper error unwind for vfio_iommu_replay() 
[ Upstream commit aae7a75a82 ]

The vfio_iommu_replay() function does not currently unwind on error,
yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma
structure to indicate IOMMU mapping.  The IOMMU mappings are torn down
when the domain is destroyed, but the other actions go on to cause
trouble later.  For example, the iommu->domain_list can be empty if we
only have a non-IOMMU backed mdev attached.  We don't currently check
if the list is empty before getting the first entry in the list, which
leads to a bogus domain pointer.  If a vfio_dma entry is erroneously
marked as iommu_mapped, we'll attempt to use that bogus pointer to
retrieve the existing physical page addresses.

This is the scenario that uncovered this issue, attempting to hot-add
a vfio-pci device to a container with an existing mdev device and DMA
mappings, one of which could not be pinned, causing a failure adding
the new group to the existing container and setting the conditions
for a subsequent attempt to explode.

To resolve this, we can first check if the domain_list is empty so
that we can reject replay of a bogus domain, should we ever encounter
this inconsistent state again in the future.  The real fix though is
to add the necessary unwind support, which means cleaning up the
current pinning if an IOMMU mapping fails, then walking back through
the r-b tree of DMA entries, reading from the IOMMU which ranges are
mapped, and unmapping and unpinning those ranges.  To be able to do
this, we also defer marking the DMA entry as IOMMU mapped until all
entries are processed, in order to allow the unwind to know the
disposition of each entry.

Fixes: a54eb55045 ("vfio iommu type1: Add support for mediated devices")
Reported-by: Zhiyi Guo <zhguo@redhat.com>
Tested-by: Zhiyi Guo <zhguo@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-08-26 10:31:04 +02:00
..
accessibility
acpi ACPICA: Do not increment operation_region reference counts for field units 2020-08-19 08:14:53 +02:00
amba
android binder: Prevent context manager from incrementing ref 0 2020-08-11 15:32:31 +02:00
ata ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function 2020-06-30 23:17:13 -04:00
atm atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent 2020-08-11 15:32:33 +02:00
auxdisplay
base driver core: Avoid binding drivers to dead devices 2020-08-21 11:05:32 +02:00
bcma bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA 2020-01-27 14:51:09 +01:00
block loop: be paranoid on exit and prevent new additions / removals 2020-08-19 08:14:50 +02:00
bluetooth Bluetooth: hci_serdev: Only unregister device if it was registered 2020-08-19 08:15:00 +02:00
bus bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads 2020-04-17 10:48:37 +02:00
cdrom
char agp/intel: Fix a memory leak on module initialisation failure 2020-08-19 08:14:53 +02:00
clk clk: clk-atlas6: fix return value check in atlas6_clk_init() 2020-08-21 11:05:36 +02:00
clocksource clocksource: dw_apb_timer_of: Fix missing clockevent timers 2020-06-22 09:05:11 +02:00
connector
cpufreq cpufreq: intel_pstate: Fix cpuinfo_max_freq when MSR_TURBO_RATIO_LIMIT is 0 2020-08-26 10:31:01 +02:00
cpuidle cpuidle: Fix three reference count leaks 2020-06-22 09:05:20 +02:00
crypto crypto: cpt - don't sleep of CRYPTO_TFM_REQ_MAY_SLEEP was not specified 2020-08-19 08:15:05 +02:00
dax
dca
devfreq Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" 2020-03-05 16:42:18 +01:00
dio
dma dmaengine: ioat setting ioat timeout as module parameter 2020-07-29 10:16:53 +02:00
dma-buf
edac EDAC: Fix reference count leaks 2020-08-19 08:14:48 +02:00
eisa
extcon extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' 2020-06-25 15:33:01 +02:00
firewire
firmware firmware: arm_scmi: Fix SCMI genpd domain probing 2020-08-19 08:14:48 +02:00
fmc
fpga fpga: dfl: fix bug in port reset handshake 2020-07-29 10:16:48 +02:00
fsi fsi: sbefifo: Don't fail operations when in SBE IPL state 2020-01-27 14:51:00 +01:00
gnss gnss: sirf: fix error return code in sirf_probe() 2020-06-22 09:05:28 +02:00
gpio gpio: arizona: put pm_runtime in case of failure 2020-07-29 10:16:44 +02:00
gpu drm/amd/display: fix pow() crashing when given base 0 2020-08-26 10:31:00 +02:00
hid HID: input: Fix devices that return multiple bytes in battery report 2020-08-19 08:14:47 +02:00
hsi
hv Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23) 2020-08-11 15:32:33 +02:00
hwmon hwmon: (scmi) Fix potential buffer overflow in scmi_hwmon_probe() 2020-07-29 10:16:54 +02:00
hwspinlock
hwtracing coresight: tmc: Fix TMC mode read in tmc_read_unprepare_etb() 2020-08-19 08:14:58 +02:00
i2c i2c: rcar: avoid race when unregistering slave 2020-08-21 11:05:37 +02:00
ide ide: serverworks: potential overflow in svwks_set_pio_mode() 2020-02-24 08:34:49 +01:00
idle
iio iio: dac: ad5592r: fix unbalanced mutex unlocks in ad5592r_read_raw() 2020-08-21 11:05:31 +02:00
infiniband RDMA/ipoib: Fix ABBA deadlock with ipoib_reap_ah() 2020-08-21 11:05:34 +02:00
input Input: psmouse - add a newline when printing 'proto' by sysfs 2020-08-26 10:31:01 +02:00
iommu iommu/omap: Check for failure of a call to omap_iommu_dump_ctx 2020-08-21 11:05:36 +02:00
ipack ipack: tpci200: fix error return code in tpci200_register() 2020-05-27 17:37:43 +02:00
irqchip genirq/affinity: Make affinity setting if activated opt-in 2020-08-21 11:05:28 +02:00
isdn PCI: add USR vendor id and use it in r8169 and w6692 driver 2020-06-22 09:05:23 +02:00
leds leds: core: Flush scheduled work for system suspend 2020-08-19 08:14:56 +02:00
lightnvm lightnvm: pblk: fix lock order in pblk_rb_tear_down_check 2020-01-27 14:50:45 +01:00
macintosh drivers/macintosh: Fix memleak in windfarm_pm112 driver 2020-06-22 09:05:29 +02:00
mailbox mailbox: qcom-apcs: fix max_register value 2020-01-27 14:51:14 +01:00
mcb
md dm rq: don't call blk_mq_queue_stopped() in dm_stop_queue() 2020-08-21 11:05:35 +02:00
media media: vpss: clean up resources in init 2020-08-26 10:31:00 +02:00
memory memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20 2020-01-27 14:50:13 +01:00
memstick
message scsi: mptscsih: Fix read sense data size 2020-07-16 08:17:23 +02:00
mfd mfd: dln2: Run event handler loop under spinlock 2020-08-21 11:05:38 +02:00
misc cxl: Fix kobject memleak 2020-08-19 08:14:55 +02:00
mmc mmc: renesas_sdhi_internal_dmac: clean up the code for dma complete 2020-08-21 11:05:35 +02:00
mtd mtd: rawnand: qcom: avoid write to unavailable register 2020-08-19 08:15:07 +02:00
mux
net bonding: fix a potential double-unregister 2020-08-26 10:31:03 +02:00
nfc nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame 2020-08-05 10:06:05 +02:00
ntb NTB: perf: Fix race condition when run with ntb_test 2020-06-25 15:33:03 +02:00
nubus
nvdimm libnvdimm: Fix endian conversion issues 2020-06-07 13:17:53 +02:00
nvme nvme-rdma: assign completion vector correctly 2020-07-16 08:17:23 +02:00
nvmem nvmem: qfprom: remove incorrect write support 2020-06-10 21:35:00 +02:00
of of: of_mdio: Correct loop scanning logic 2020-07-22 09:32:03 +02:00
opp OPP: Fix missing debugfs supply directory for OPPs 2020-01-27 14:50:04 +01:00
oprofile
parisc parisc: mask out enable and reserved bits from sba imask 2020-08-19 08:15:07 +02:00
parport
pci PCI: Probe bridge window attributes once at enumeration-time 2020-08-21 11:05:29 +02:00
pcmcia
perf drivers/perf: hisi: Fix wrong value for all counters enable 2020-06-25 15:33:04 +02:00
phy phy: exynos5-usbdrd: Calibrating makes sense only for USB2.0 PHY 2020-08-19 08:14:57 +02:00
pinctrl pinctrl-single: fix pcs_parse_pinconf() return value 2020-08-19 08:15:02 +02:00
platform platform/x86: intel-vbtn: Fix return value check in check_acpi_dev() 2020-08-19 08:14:49 +02:00
pnp
power power: supply: check if calc_soc succeeded in pm860x_init_battery 2020-08-19 08:14:59 +02:00
powercap
pps
ps3
ptp ptp: free ptp device pin descriptors properly 2020-01-23 08:21:35 +01:00
pwm pwm: bcm-iproc: handle clk_get_rate() return 2020-08-21 11:05:36 +02:00
rapidio rapidio: fix an error in get_user_pages_fast() error handling 2020-05-27 17:37:43 +02:00
ras
regulator regualtor: pfuze100: correct sw1a/sw2 on pfuze3000 2020-06-30 23:17:10 -04:00
remoteproc remoteproc: qcom: q6v5: Update running state before requesting stop 2020-08-21 11:05:34 +02:00
reset reset: uniphier: Add SCSSI reset control for each channel 2020-02-24 08:34:44 +01:00
rpmsg rpmsg: glink: Remove chunk size word align warning 2020-04-13 10:45:16 +02:00
rtc rtc: goldfish: Enable interrupt in set_alarm() when necessary 2020-08-26 10:31:00 +02:00
s390 scsi: zfcp: Fix use-after-free in request timeout handlers 2020-08-26 10:30:59 +02:00
sbus
scsi scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases 2020-08-26 10:31:01 +02:00
sfi
sh
siox
slimbus slimbus: core: Fix mismatch in of_node_get/put 2020-07-22 09:32:07 +02:00
sn
soc soc: qcom: rpmh-rsc: Set suppress_bind_attrs flag 2020-08-19 08:14:50 +02:00
soundwire
spi spi: Prevent adding devices below an unregistering controller 2020-08-26 10:31:00 +02:00
spmi
ssb
staging staging: rtl8192u: fix a dubious looking mask before a shift 2020-08-19 08:14:58 +02:00
target scsi: target: tcmu: Fix crash in tcmu_flush_dcache_range on ARM 2020-08-26 10:31:00 +02:00
tc
tee tee: optee: Fix compilation issue with nommu 2020-02-05 14:43:50 +00:00
thermal thermal: ti-soc-thermal: Fix reversed condition in ti_thermal_expose_sensor() 2020-08-19 08:14:58 +02:00
thunderbolt thunderbolt: Drop duplicated get_switch_at_route() 2020-05-27 17:37:40 +02:00
tty vt: Reject zero-sized screen buffer size. 2020-07-29 10:16:56 +02:00
uio uio_pdrv_genirq: fix use without device tree and no interrupt 2020-07-22 09:32:11 +02:00
usb USB: serial: ftdi_sio: clean up receive processing 2020-08-21 11:05:35 +02:00
uwb
vfio vfio/type1: Add proper error unwind for vfio_iommu_replay() 2020-08-26 10:31:04 +02:00
vhost vhost/vsock: fix packet delivery order to monitoring devices 2020-05-27 17:37:32 +02:00
video video: pxafb: Fix the function used to balance a 'dma_alloc_coherent()' call 2020-08-19 08:14:54 +02:00
virt virt: vbox: Fix guest capabilities mask check 2020-07-22 09:32:10 +02:00
virtio virtio_ring: Avoid loop when vq is broken in virtqueue_poll 2020-08-26 10:31:01 +02:00
visorbus visorbus: fix uninitialized variable access 2020-02-24 08:34:47 +01:00
vlynq
vme vme: bridges: reduce stack usage 2020-02-24 08:34:47 +01:00
w1 w1: omap-hdq: cleanup to add missing newline for some dev_dbg 2020-06-22 09:05:30 +02:00
watchdog watchdog: initialize device before misc_register 2020-08-21 11:05:37 +02:00
xen xen/gntdev: Fix dmabuf import with non-zero sgt offset 2020-08-19 08:15:07 +02:00
zorro
Kconfig
Makefile