| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250605201927.339352-2-sdl@nppct.ru>
Date: Thu, 5 Jun 2025 20:19:21 +0000
From: Alexey Nepomnyashih <sdl@...ct.ru>
To: Lyude Paul <lyude@...hat.com>
Cc: Alexey Nepomnyashih <sdl@...ct.ru>,
Danilo Krummrich <dakr@...nel.org>,
David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>,
Maxime Coquelin <mcoquelin.stm32@...il.com>,
Alexandre Torgue <alexandre.torgue@...s.st.com>,
dri-devel@...ts.freedesktop.org,
nouveau@...ts.freedesktop.org,
linux-stm32@...md-mailman.stormreply.com,
linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org,
stable@...r.kernel.org
Subject: [PATCH v2 2/2] drm/nouveau/instmem/gk20a: fix incorrect argument in iommu_unmap
The unmap logic assumes a fixed step size of PAGE_SIZE, but the
actual IOVA step depends on iommu_pgshift, not PAGE_SHIFT. If
iommu_pgshift > PAGE_SHIFT, this results in mismatched offsets and
causes iommu_unmap() to target incorrect addresses, potentially
leaving mappings intact or corrupting IOMMU state.
Fix this by recomputing the offset per index using the same logic as
in the map loop, ensuring symmetry and correctness.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: stable@...r.kernel.org # v4.3+
Fixes: a7f6da6e758c ("drm/nouveau/instmem/gk20a: add IOMMU support")
Signed-off-by: Alexey Nepomnyashih <sdl@...ct.ru>
---
drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c
index 17a0e1a46211..f58e0d4fb2b1 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/instmem/gk20a.c
@@ -481,8 +481,9 @@ gk20a_instobj_ctor_iommu(struct gk20a_instmem *imem, u32 npages, u32 align,
nvkm_error(subdev, "IOMMU mapping failure: %d\n", ret);
while (i-- > 0) {
- offset -= PAGE_SIZE;
- iommu_unmap(imem->domain, offset, PAGE_SIZE);
+ iommu_unmap(imem->domain,
+ ((unsigned long)r->offset + i) << imem->iommu_pgshift,
+ PAGE_SIZE);
}
goto release_area;
}
--
2.43.0
Powered by blists - more mailing lists