[PATCH] iommu/dma: limit iova free size to unmmaped iova
Robin Murphy
robin.murphy at arm.com
Thu May 21 20:16:30 UTC 2020
On 2020-05-21 12:30, Prakash Gupta wrote:
> Limit the iova size while freeing based on unmapped size. In absence of
> this even with unmap failure, invalid iova is pushed to iova rcache and
> subsequently can cause panic while rcache magazine is freed.
Can you elaborate on that panic?
> Signed-off-by: Prakash Gupta <guptap at codeaurora.org>
>
> :100644 100644 4959f5df21bd 098f7d377e04 M drivers/iommu/dma-iommu.c
>
> diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
> index 4959f5df21bd..098f7d377e04 100644
> --- a/drivers/iommu/dma-iommu.c
> +++ b/drivers/iommu/dma-iommu.c
> @@ -472,7 +472,8 @@ static void __iommu_dma_unmap(struct device *dev, dma_addr_t dma_addr,
>
> if (!cookie->fq_domain)
> iommu_tlb_sync(domain, &iotlb_gather);
> - iommu_dma_free_iova(cookie, dma_addr, size);
> + if (unmapped)
> + iommu_dma_free_iova(cookie, dma_addr, unmapped);
Frankly, if any part of the unmap fails then things have gone
catastrophically wrong already, but either way this isn't right. The
IOVA API doesn't support partial freeing - an IOVA *must* be freed with
its original size, or not freed at all, otherwise it will corrupt the
state of the rcaches and risk a cascade of further misbehaviour for
future callers.
TBH my gut feeling here is that you're really just trying to treat a
symptom of another bug elsewhere, namely some driver calling dma_unmap_*
or dma_free_* with the wrong address or size in the first place.
Robin.
> }
>
> static dma_addr_t __iommu_dma_map(struct device *dev, phys_addr_t phys,
>
More information about the iommu
mailing list