From: Yunsheng Lin linyunsheng@huawei.com
mainline inclusion from mainline-v5.4-rc1 commit 6b0c54e7f2715997c366e8374209bc74259b0a59 category: bugfix bugzilla: 21318 CVE: NA
-------------------------------------------------------------------------
The cookie is dereferenced before null checking in the function iommu_dma_init_domain.
This patch moves the dereferencing after the null checking.
Fixes: fdbe574eb693 ("iommu/dma: Allow MSI-only cookies") Signed-off-by: Yunsheng Lin linyunsheng@huawei.com Signed-off-by: Joerg Roedel jroedel@suse.de Conflicts: drivers/iommu/dma-iommu.c
Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Reviewed-by: Hanjun Guo guohanjun@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/iommu/dma-iommu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c index 64ae17e8b..b68d9fd 100644 --- a/drivers/iommu/dma-iommu.c +++ b/drivers/iommu/dma-iommu.c @@ -290,13 +290,15 @@ int iommu_dma_init_domain(struct iommu_domain *domain, dma_addr_t base, u64 size, struct device *dev) { struct iommu_dma_cookie *cookie = domain->iova_cookie; - struct iova_domain *iovad = &cookie->iovad; unsigned long order, base_pfn, end_pfn; + struct iova_domain *iovad; int attr;
if (!cookie || cookie->type != IOMMU_DMA_IOVA_COOKIE) return -EINVAL;
+ iovad = &cookie->iovad; + /* Use the smallest supported page size for IOVA granularity */ order = __ffs(domain->pgsize_bitmap); base_pfn = max_t(unsigned long, 1, base >> order);
From: Jacob Pan jacob.jun.pan@linux.intel.com
mainline inclusion from mainline-v5.7-rc1 commit 902baf61adf6b187f0a6b789e70d788ea71ff5bc category: bugfix bugzilla: 34102 CVE: NA
-------------------------------------------------------------------------
Move canonical address check before mmget_not_zero() to avoid mm reference leak.
Fixes: 9d8c3af31607 ("iommu/vt-d: IOMMU Page Request needs to check if address is canonical.") Signed-off-by: Jacob Pan jacob.jun.pan@linux.intel.com Acked-by: Lu Baolu baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel jroedel@suse.de Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Reviewed-by: Hanjun Guo guohanjun@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/iommu/intel-svm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c index 5944d3b..ef3aade 100644 --- a/drivers/iommu/intel-svm.c +++ b/drivers/iommu/intel-svm.c @@ -620,14 +620,15 @@ static irqreturn_t prq_event_thread(int irq, void *d) * any faults on kernel addresses. */ if (!svm->mm) goto bad_req; - /* If the mm is already defunct, don't handle faults. */ - if (!mmget_not_zero(svm->mm)) - goto bad_req;
/* If address is not canonical, return invalid response */ if (!is_canonical_address(address)) goto bad_req;
+ /* If the mm is already defunct, don't handle faults. */ + if (!mmget_not_zero(svm->mm)) + goto bad_req; + down_read(&svm->mm->mmap_sem); vma = find_extend_vma(svm->mm, address); if (!vma || address < vma->vm_start)
-
Yang Yingliang