iommu/vt-d: drop mm use count if address is not canonical
The use count of svm->mm is incremented by mmget_not_zero. However, it is not dropped when the address is not canonical. This patch fixes the bug. Fixes: 9d8c3af31607("iommu/vt-d: IOMMU Page Request needs to check if address is canonical.") Signed-off-by: Pan Bian --- drivers/iommu/intel-svm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c index 3a4b09a..2630d2e 100644 --- a/drivers/iommu/intel-svm.c +++ b/drivers/iommu/intel-svm.c @@ -574,8 +574,10 @@ static irqreturn_t prq_event_thread(int irq, void *d) goto bad_req; /* If address is not canonical, return invalid response */ - if (!is_canonical_address(address)) + if (!is_canonical_address(address)) { + mmput(svm->mm); goto bad_req; + } down_read(>mm->mmap_sem); vma = find_extend_vma(svm->mm, address); -- 2.7.4 ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
[PATCH] iommu: use memunmap to free memremap
memunmap() should be used to free the return of memremap(), not iounmap(). Fixes: dfddb969edf0("iommu/vt-d: Switch from ioremap_cache to memremap") Signed-off-by: Pan Bian --- drivers/iommu/intel-iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index f3ccf02..41a4b88 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -3075,7 +3075,7 @@ static int copy_context_table(struct intel_iommu *iommu, } if (old_ce) - iounmap(old_ce); + memunmap(old_ce); ret = 0; if (devfn < 0x80) -- 2.7.4 ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
[PATCH 1/1] iommu/amd: fix incorrect error handling
From: Pan Bian <bianpan2...@163.com> In function amd_iommu_bind_pasid(), the control flow jumps to label out_free when pasid_state->mm and mm is NULL. And mmput(mm) is called. In function mmput(mm), mm is referenced without validation. This will result in a NULL dereference bug. This patch fixes the bug. Signed-off-by: Pan Bian <bianpan2...@163.com> --- drivers/iommu/amd_iommu_v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c index 0633439..6629c47 100644 --- a/drivers/iommu/amd_iommu_v2.c +++ b/drivers/iommu/amd_iommu_v2.c @@ -696,9 +696,9 @@ int amd_iommu_bind_pasid(struct pci_dev *pdev, int pasid, out_unregister: mmu_notifier_unregister(_state->mn, mm); + mmput(mm); out_free: - mmput(mm); free_pasid_state(pasid_state); out: -- 1.9.1 ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu