| Message ID | 20160606122010.GA3048@x61s.reliablesolutions.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Jun 06, 2016 at 02:20:11PM +0200, Jan Niehusmann wrote: > The valid range of 'did' in get_iommu_domain(*iommu, did) > is 0..cap_ndoms(iommu->cap), so don't exceed that > range in free_all_cpu_cached_iovas(). > > The user-visible impact of the out-of-bounds access is the machine > hanging on suspend-to-ram. It is, in fact, a kernel panic, but due > to already suspended devices, that's often not visible to the user. > > Fixes: 22e2f9fa63b0 ("iommu/vt-d: Use per-cpu IOVA caching") > Signed-off-by: Jan Niehusmann <jan@gondor.com> > Tested-By: Marius Vlad <marius.c.vlad@intel.com> Queued to iommu/fixes branch, thanks Jan. Joerg
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index a644d0c..82989d4 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -4600,7 +4600,7 @@ static void free_all_cpu_cached_iovas(unsigned int cpu) if (!iommu) continue; - for (did = 0; did < 0xffff; did++) { + for (did = 0; did < cap_ndoms(iommu->cap); did++) { domain = get_iommu_domain(iommu, did); if (!domain)
The valid range of 'did' in get_iommu_domain(*iommu, did) is 0..cap_ndoms(iommu->cap), so don't exceed that range in free_all_cpu_cached_iovas(). The user-visible impact of the out-of-bounds access is the machine hanging on suspend-to-ram. It is, in fact, a kernel panic, but due to already suspended devices, that's often not visible to the user. Fixes: 22e2f9fa63b0 ("iommu/vt-d: Use per-cpu IOVA caching") Signed-off-by: Jan Niehusmann <jan@gondor.com> Tested-By: Marius Vlad <marius.c.vlad@intel.com> --- Added some details and Tested-By to the commit message. Patch is unchanged. Posted to intel-gfx@lists.freedesktop.org and iommu@lists.linux-foundation.org where the issue was discussed.