korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 08:14:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
463e862ac6
linux/kernel/dma
History
Will Deacon 463e862ac6 swiotlb: Convert io_default_tlb_mem to static allocation 
Since commit 69031f5008 ("swiotlb: Set dev->dma_io_tlb_mem to the
swiotlb pool used"), 'struct device' may hold a copy of the global
'io_default_tlb_mem' pointer if the device is using swiotlb for DMA. A
subsequent call to swiotlb_exit() will therefore leave dangling pointers
behind in these device structures, resulting in KASAN splats such as:

  |  BUG: KASAN: use-after-free in __iommu_dma_unmap_swiotlb+0x64/0xb0
  |  Read of size 8 at addr ffff8881d7830000 by task swapper/0/0
  |
  |  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc3-debug #1
  |  Hardware name: HP HP Desktop M01-F1xxx/87D6, BIOS F.12 12/17/2020
  |  Call Trace:
  |   <IRQ>
  |   dump_stack+0x9c/0xcf
  |   print_address_description.constprop.0+0x18/0x130
  |   kasan_report.cold+0x7f/0x111
  |   __iommu_dma_unmap_swiotlb+0x64/0xb0
  |   nvme_pci_complete_rq+0x73/0x130
  |   blk_complete_reqs+0x6f/0x80
  |   __do_softirq+0xfc/0x3be

Convert 'io_default_tlb_mem' to a static structure, so that the
per-device pointers remain valid after swiotlb_exit() has been invoked.
All users are updated to reference the static structure directly, using
the 'nslabs' field to determine whether swiotlb has been initialised.
The 'slots' array is still allocated dynamically and referenced via a
pointer rather than a flexible array member.

Cc: Claire Chang <tientzu@chromium.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Fixes: 69031f5008 ("swiotlb: Set dev->dma_io_tlb_mem to the swiotlb pool used")
Reported-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Claire Chang <tientzu@chromium.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
2021-07-23 20:14:43 -04:00
..
coherent.c dma-mapping: remove a trailing space 2021-06-22 08:15:46 +02:00
contiguous.c dma-contiguous: fix a typo error in a comment 2020-11-27 10:33:42 +01:00
debug.c dma-debug: report -EEXIST errors in add_dma_entry 2021-06-22 08:15:47 +02:00
debug.h dma-mapping: move dma-debug.h to kernel/dma/ 2020-10-06 07:07:05 +02:00
direct.c swiotlb: Add restricted DMA alloc/free support 2021-07-13 20:04:48 -04:00
direct.h swiotlb: Use is_swiotlb_force_bounce for swiotlb data bouncing 2021-07-13 20:04:43 -04:00
dummy.c dma-mapping: split <linux/dma-mapping.h> 2020-10-06 07:07:03 +02:00
Kconfig swiotlb: Add restricted DMA pool initialization 2021-07-13 20:04:50 -04:00
Makefile dma-mapping updates for 5.11: 2020-12-22 13:19:43 -08:00
map_benchmark.c dma-mapping: benchmark: Add support for multi-pages map/unmap 2021-04-02 16:41:08 +02:00
mapping.c dma-mapping: add a dma_alloc_noncontiguous API 2021-03-15 10:02:31 +01:00
ops_helpers.c dma-mapping: merge <linux/dma-noncoherent.h> into <linux/dma-map-ops.h> 2020-10-06 07:07:06 +02:00
pool.c dma-pool: no need to check return value of debugfs_create functions 2020-11-27 10:33:42 +01:00
remap.c kernel/dma: remove unnecessary unmap_kernel_range 2021-04-30 11:20:40 -07:00
swiotlb.c swiotlb: Convert io_default_tlb_mem to static allocation 2021-07-23 20:14:43 -04:00