Commit 30e0ff6d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'iommu-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux 

Pull iommu fixes from Joerg Roedel:
 "This is probably the largest fixes pull-request ever sent for IOMMU. I
  partially blame it on AI code review which found some issues but there
  is also some rework in here to fix issues in the iommu parts of PCI
  device reset.

  AMD-Vi:
   - Add bounds checks to debugfs and table lookups

  Intel VT-d:
   - Apply an existing quirk for Q35 graphic device
   - Skip dev_pasid teardown for the blocked domain to avoid
     out-of-bounds access
   - Return early if dev_pasid is missing to prevent NULL dereference
     or UAF

  Core:
   - Fix bugs and corner cases in pci_dev_reset_iommu_prepare/done()
   - Fix various issues found by AI in iommupt code

  MAINTAINERS email address update for RISCV IOMMU"

* tag 'iommu-fixes-v7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/iommu/linux:
  MAINTAINERS: update Tomasz Jeznach's email address
  iommupt: Fix the end_index calculation in __map_range_leaf()
  iommupt: Check for missing PAGE_SIZE in the pgsize_bitmap
  iommu: Handle unmap error when iommu_debug is enabled
  iommu: Fix up map/unmap debugging for iommupt domains
  iommu: Fix loss of errno on map failure for classic ops
  iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
  iommu/vt-d: Fix oops due to out of scope access
  iommu/vt-d: Disable DMAR for Intel Q35 IGFX
  iommu: Warn on premature unblock during DMA aliased sibling reset
  iommu: Fix WARN_ON in __iommu_group_set_domain_nofail() due to reset
  iommu: Fix ATS invalidation timeouts during __iommu_remove_group_pasid()
  iommu: Fix nested pci_dev_reset_iommu_prepare/done()
  iommu: Fix pasid attach in pci_dev_reset_iommu_prepare/done()
  iommu: Replace per-group resetting_domain with per-gdev blocked flag
  iommu: Fix kdocs of pci_dev_reset_iommu_done()
  iommu: Fix NULL group->domain dereference in pci_dev_reset_iommu_done()
  iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
  iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
parents 3bf83e47 1bb54043

.mailmap

+1 −0
Original line number Diff line number Diff line
@@ -857,6 +857,7 @@ Tobias Klauser <tklauser@distanz.ch> <klto@zhaw.ch> 
Tobias Klauser <tklauser@distanz.ch> <tklauser@nuerscht.ch>

Tobias Klauser <tklauser@distanz.ch> <tklauser@xenon.tklauser.home>

Todor Tomov <todor.too@gmail.com> <todor.tomov@linaro.org>

Tomasz Jeznach <tomasz.jeznach@linux.dev> <tjeznach@rivosinc.com>

Tony Luck <tony.luck@intel.com>

Trilok Soni <quic_tsoni@quicinc.com> <tsoni@codeaurora.org>

TripleX Chung <xxx.phy@gmail.com> <triplex@zh-kernel.org>

MAINTAINERS

+1 −1
Original line number Diff line number Diff line
@@ -22951,7 +22951,7 @@ N: riscv 
K:	riscv









RISC-V IOMMU









M:	Tomasz Jeznach <tjeznach@rivosinc.com>









M:	Tomasz Jeznach <tomasz.jeznach@linux.dev>









L:	iommu@lists.linux.dev









L:	linux-riscv@lists.infradead.org









S:	Maintained

























drivers/iommu/amd/debugfs.c



+5
−4






























Original line number
Diff line number
Diff line







@@ -31,11 +31,12 @@ static ssize_t iommu_mmio_write(struct file *filp, const char __user *ubuf,







	if (cnt > OFS_IN_SZ)









		return -EINVAL;



















	ret = kstrtou32_from_user(ubuf, cnt, 0, &dbg_mmio_offset);









	ret = kstrtos32_from_user(ubuf, cnt, 0, &dbg_mmio_offset);









	if (ret)









		return ret;



















	if (dbg_mmio_offset > iommu->mmio_phys_end - sizeof(u64))









	if (dbg_mmio_offset < 0 || dbg_mmio_offset >









			iommu->mmio_phys_end - sizeof(u64))









		return -EINVAL;



















	iommu->dbg_mmio_offset = dbg_mmio_offset;








@@ -71,12 +72,12 @@ static ssize_t iommu_capability_write(struct file *filp, const char __user *ubuf







	if (cnt > OFS_IN_SZ)









		return -EINVAL;



















	ret = kstrtou32_from_user(ubuf, cnt, 0, &dbg_cap_offset);









	ret = kstrtos32_from_user(ubuf, cnt, 0, &dbg_cap_offset);









	if (ret)









		return ret;



















	/* Capability register at offset 0x14 is the last IOMMU capability register. */









	if (dbg_cap_offset > 0x14)









	if (dbg_cap_offset < 0 || dbg_cap_offset > 0x14)









		return -EINVAL;



















	iommu->dbg_cap_offset = dbg_cap_offset;
































drivers/iommu/amd/iommu.c



+6
−2






























Original line number
Diff line number
Diff line







@@ -351,7 +351,11 @@ static struct amd_iommu *__rlookup_amd_iommu(u16 seg, u16 devid)







	struct amd_iommu_pci_seg *pci_seg;



















	for_each_pci_segment(pci_seg) {









		if (pci_seg->id == seg)









		if (pci_seg->id != seg)









			continue;









		/* IVRS may not describe every device on the bus */









		if (devid > pci_seg->last_bdf)









			return NULL;









		return pci_seg->rlookup_table[devid];









	}









	return NULL;
































drivers/iommu/generic_pt/iommu_pt.h



+15
−9






























Original line number
Diff line number
Diff line







@@ -534,10 +534,12 @@ static int __map_range_leaf(struct pt_range *range, void *arg,







	struct pt_state pts = pt_init(range, level, table);









	struct pt_iommu_map_args *map = arg;









	unsigned int leaf_pgsize_lg2 = map->leaf_pgsize_lg2;









	unsigned int leaves_avail;









	unsigned int start_index;









	pt_oaddr_t oa = map->oa;









	unsigned int num_leaves;









	pt_vaddr_t num_leaves;









	unsigned int orig_end;









	unsigned int step_lg2;









	pt_vaddr_t last_va;









	unsigned int step;









	bool need_contig;








@@ -546,21 +548,25 @@ static int __map_range_leaf(struct pt_range *range, void *arg,







	PT_WARN_ON(map->leaf_level != level);









	PT_WARN_ON(!pt_can_have_leaf(&pts));



















	step = log2_to_int_t(unsigned int,









			     leaf_pgsize_lg2 - pt_table_item_lg2sz(&pts));









	need_contig = leaf_pgsize_lg2 != pt_table_item_lg2sz(&pts);









	step_lg2 = leaf_pgsize_lg2 - pt_table_item_lg2sz(&pts);









	step = log2_to_int_t(unsigned int, step_lg2);









	need_contig = step_lg2 != 0;



















	_pt_iter_first(&pts);









	start_index = pts.index;









	orig_end = pts.end_index;









	if (pts.index + map->num_leaves < pts.end_index) {









	leaves_avail =









		log2_div_t(unsigned int, pts.end_index - pts.index, step_lg2);









	if (map->num_leaves <= leaves_avail) {









		/* Need to stop in the middle of the table to change sizes */









		pts.end_index = pts.index + map->num_leaves;









		pts.end_index = pts.index + log2_mul(map->num_leaves, step_lg2);









		num_leaves = 0;









	} else {









		num_leaves = map->num_leaves - (pts.end_index - pts.index);









		num_leaves = map->num_leaves - leaves_avail;









	}



















	PT_WARN_ON(









		log2_mod_t(unsigned int, pts.end_index - pts.index, step_lg2));









	do {









		pts.type = pt_load_entry_raw(&pts);









		if (pts.type != PT_ENTRY_EMPTY || need_contig) {








@@ -920,8 +926,8 @@ static int NS(map_range)(struct pt_iommu *iommu_table, dma_addr_t iova,







		return ret;



















	/* Calculate target page size and level for the leaves */









	if (pt_has_system_page_size(common) && len == PAGE_SIZE) {









		PT_WARN_ON(!(pgsize_bitmap & PAGE_SIZE));









	if (pt_has_system_page_size(common) && len == PAGE_SIZE &&









		likely(pgsize_bitmap & PAGE_SIZE)) {









		if (log2_mod(iova | paddr, PAGE_SHIFT))









			return -ENXIO;









		map.leaf_pgsize_lg2 = PAGE_SHIFT;