lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 03 Mar 2020 17:33:57 +0000
From:   Marc Zyngier <maz@...nel.org>
To:     Robin Murphy <robin.murphy@....com>
Cc:     linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        Joerg Roedel <jroedel@...e.de>,
        Eric Auger <eric.auger@...hat.com>,
        Will Deacon <will@...nel.org>, stable@...r.kernel.org
Subject: Re: [PATCH] iommu/dma: Fix MSI reservation allocation

On 2020-03-03 17:23, Robin Murphy wrote:
> On 03/03/2020 11:51 am, Marc Zyngier wrote:
>> The way cookie_init_hw_msi_region() allocates the iommu_dma_msi_page
>> structures doesn't match the way iommu_put_dma_cookie() frees them.
>> 
>> The former performs a single allocation of all the required 
>> structures,
>> while the latter tries to free them one at a time. It doesn't quite
>> work for the main use case (the GICv3 ITS where the range is 64kB)
>> when the base ganule size is 4kB.
>> 
>> This leads to a nice slab corruption on teardown, which is easily
>> observable by simply creating a VF on a SRIOV-capable device, and
>> tearing it down immediately (no need to even make use of it).
>> 
>> Fix it by allocating iommu_dma_msi_page structures one at a time.
> 
> Bleh, you know you're supposed to be using 64K pages on those things, 
> right? :P

lalalala... ;-)

[...]

>> +		if (!msi_page) {
>> +			ret = -ENOMEM;
> 
> I think we can just return here and skip the cleanup below - by the
> time we get here the cookie itself has already been allocated and
> initialised, so even if iommu_dma_init_domain() fails someone else has
> already accepted the responsibility of calling iommu_put_dma_cookie()
> at some point later, which will clean up properly.

Ah, that's a very good point. I'll refresh the patch with a simplified
error handling.

Thanks,

         M.
-- 
Jazz is not dead. It just smells funny...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ