lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 31 Aug 2022 16:12:36 -0400
From:   Matthew Rosato <mjrosato@...ux.ibm.com>
To:     iommu@...ts.linux.dev
Cc:     linux-s390@...r.kernel.org, schnelle@...ux.ibm.com,
        pmorel@...ux.ibm.com, borntraeger@...ux.ibm.com, hca@...ux.ibm.com,
        gor@...ux.ibm.com, gerald.schaefer@...ux.ibm.com,
        agordeev@...ux.ibm.com, svens@...ux.ibm.com, joro@...tes.org,
        will@...nel.org, robin.murphy@....com, jgg@...dia.com,
        linux-kernel@...r.kernel.org
Subject: [PATCH v4 2/2] iommu/s390: fix leak of s390_domain_device

Since allowing multiple domains to be attached via fa7e9ecc5e1c, it's now
possible that a kfree of s390_domain_device is missed, either because a
corresponding detach_dev was never called or because a repeat attach_dev
was called for the same device and domain pair (resulting in unnecessary
duplicates).  Check for duplicates during attach_dev and ensure the list
of s390_domain_device structures is cleared up when the domain is freed.

Fixes: fa7e9ecc5e1c ("iommu/s390: Tolerate repeat attach_dev calls")
Signed-off-by: Matthew Rosato <mjrosato@...ux.ibm.com>
---
 drivers/iommu/s390-iommu.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/s390-iommu.c b/drivers/iommu/s390-iommu.c
index 1137d669e849..db4dfbcf161b 100644
--- a/drivers/iommu/s390-iommu.c
+++ b/drivers/iommu/s390-iommu.c
@@ -78,7 +78,17 @@ static struct iommu_domain *s390_domain_alloc(unsigned domain_type)
 static void s390_domain_free(struct iommu_domain *domain)
 {
 	struct s390_domain *s390_domain = to_s390_domain(domain);
+	struct s390_domain_device *domain_device, *tmp;
+	unsigned long flags;
 
+	/* Ensure all device entries are cleaned up */
+	spin_lock_irqsave(&s390_domain->list_lock, flags);
+	list_for_each_entry_safe(domain_device, tmp, &s390_domain->devices,
+				 list) {
+		list_del(&domain_device->list);
+		kfree(domain_device);
+	}
+	spin_unlock_irqrestore(&s390_domain->list_lock, flags);
 	dma_cleanup_tables(s390_domain->dma_table);
 	kfree(s390_domain);
 }
@@ -88,7 +98,7 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
 {
 	struct s390_domain *s390_domain = to_s390_domain(domain);
 	struct zpci_dev *zdev = to_zpci_dev(dev);
-	struct s390_domain_device *domain_device;
+	struct s390_domain_device *domain_device, *ddev;
 	unsigned long flags;
 	int cc, rc;
 
@@ -140,7 +150,16 @@ static int s390_iommu_attach_device(struct iommu_domain *domain,
 		goto out_restore;
 	}
 	domain_device->zdev = zdev;
-	list_add(&domain_device->list, &s390_domain->devices);
+	/* If already attached don't add another instance */
+	list_for_each_entry(ddev, &s390_domain->devices, list) {
+		if (ddev->zdev == zdev) {
+			kfree(domain_device);
+			domain_device = NULL;
+			break;
+		}
+	}
+	if (domain_device)
+		list_add(&domain_device->list, &s390_domain->devices);
 	spin_unlock_irqrestore(&s390_domain->list_lock, flags);
 	zdev->s390_domain = s390_domain;
 	mutex_unlock(&zdev->dma_domain_lock);
-- 
2.37.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ