1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-26 18:43:33 -05:00
linux/drivers
Alex Williamson 08336fd218 intel-iommu: fix off-by-one in pagetable freeing
dma_pte_free_level() has an off-by-one error when checking whether a pte
is completely covered by a range.  Take for example the case of
attempting to free pfn 0x0 - 0x1ff, ie.  512 entries covering the first
2M superpage.

The level_size() is 0x200 and we test:

  static void dma_pte_free_level(...
	...

	if (!(0 > 0 || 0x1ff < 0 + 0x200)) {
		...
	}

Clearly the 2nd test is true, which means we fail to take the branch to
clear and free the pagetable entry.  As a result, we're leaking
pagetables and failing to install new pages over the range.

This was found with a PCI device assigned to a QEMU guest using vfio-pci
without a VGA device present.  The first 1M of guest address space is
mapped with various combinations of 4K pages, but eventually the range
is entirely freed and replaced with a 2M contiguous mapping.
intel-iommu errors out with something like:

  ERROR: DMA PTE for vPFN 0x0 already set (to 5c2b8003 not 849c00083)

In this case 5c2b8003 is the pointer to the previous leaf page that was
neither freed nor cleared and 849c00083 is the superpage entry that
we're trying to replace it with.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-21 16:19:41 -08:00
..
accessibility
acpi
amba
ata
atm
auxdisplay
base
bcma
block
bluetooth
bus
cdrom
char Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2014-01-21 09:06:02 -08:00
clk
clocksource
connector
cpufreq
cpuidle
crypto
dca
devfreq
dio
dma
edac
eisa
extcon
firewire
firmware
fmc
gpio MFD changes due for the v3.14 merge window 2014-01-21 10:58:17 -08:00
gpu
hid
hsi
hv
hwmon
hwspinlock
i2c
ide
idle
iio MFD changes due for the v3.14 merge window 2014-01-21 10:58:17 -08:00
infiniband
input MFD changes due for the v3.14 merge window 2014-01-21 10:58:17 -08:00
iommu intel-iommu: fix off-by-one in pagetable freeing 2014-01-21 16:19:41 -08:00
ipack
irqchip
isdn
leds GPIO tree bulk changes for v3.14 2014-01-21 10:09:12 -08:00
lguest
macintosh
mailbox
md
media
memory
memstick
message
mfd MFD changes due for the v3.14 merge window 2014-01-21 10:58:17 -08:00
misc
mmc
mtd
net
nfc
ntb
nubus
of
oprofile
parisc
parport
pci
pcmcia
phy
pinctrl MFD changes due for the v3.14 merge window 2014-01-21 10:58:17 -08:00
platform
pnp
power
powercap
pps
ps3
ptp
pwm pwm: Add LP3943 PWM driver 2014-01-21 08:28:00 +00:00
rapidio
regulator mfd: mc13xxx: Remove useless symbol MFD_MC13783 2014-01-21 08:28:09 +00:00
remoteproc
reset
rpmsg
rtc
s390
sbus
scsi
sfi
sh
sn
spi
ssb
staging
target
tc
thermal
tty
uio
usb
uwb
vfio
vhost
video
virt
virtio
vlynq
vme
w1
watchdog
xen
zorro
Kconfig
Makefile