[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZC7Kb3WmjvooWtLE@nvidia.com>
Date: Thu, 6 Apr 2023 10:34:39 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: iommu@...ts.linux.dev, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Kevin Tian <kevin.tian@...el.com>
Subject: [GIT PULL] Please pull IOMMUFD subsystem changes
Hi Linus,
Three bug fixes that a syzkaller instance found in iommufd. We added
some selftest coverage for this, but it will come in the merge window
as it depends on some other selftest changes.
I'm pretty happy with this as it shows the selftest setup is allowing
syzkaller into code paths that would normally be only reached by
in-kernel VFIO mdev drivers. These are bugs that the normal vGVT and
S390 vfio-mdev test suites didn't find.
Thanks,
Jason
The following changes since commit 7e364e56293bb98cae1b55fd835f5991c4e96e7d:
Linux 6.3-rc5 (2023-04-02 14:29:29 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jgg/iommufd.git tags/for-linus-iommufd
for you to fetch changes up to 13a0d1ae7ee6b438f5537711a8c60cba00554943:
iommufd: Do not corrupt the pfn list when doing batch carry (2023-04-04 09:10:55 -0300)
----------------------------------------------------------------
iommufd for 6.3 rc
Three bugs found by syzkaller:
- An invalid VA range can be be put in a pages and eventually trigger
WARN_ON, reject it early
- Use of the wrong start index value when doing the complex batch carry
scheme
- Wrong store ordering resulting in corrupting data used in a later
calculation that corrupted the batch structure during carry
----------------------------------------------------------------
Jason Gunthorpe (3):
iommufd: Check for uptr overflow
iommufd: Fix unpinning of pages when an access is present
iommufd: Do not corrupt the pfn list when doing batch carry
drivers/iommu/iommufd/pages.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists