iommu/vt-d: drop mm use count if address is not canonical

2019-04-17 Thread Pan Bian 
The use count of svm->mm is incremented by mmget_not_zero. However, it
is not dropped when the address is not canonical. This patch fixes the
bug.

Fixes: 9d8c3af31607("iommu/vt-d: IOMMU Page Request needs to check if
address is canonical.")

Signed-off-by: Pan Bian 
---
 drivers/iommu/intel-svm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
index 3a4b09a..2630d2e 100644
--- a/drivers/iommu/intel-svm.c
+++ b/drivers/iommu/intel-svm.c
@@ -574,8 +574,10 @@ static irqreturn_t prq_event_thread(int irq, void *d)
goto bad_req;
 
/* If address is not canonical, return invalid response */
-   if (!is_canonical_address(address))
+   if (!is_canonical_address(address)) {
+   mmput(svm->mm);
goto bad_req;
+   }
 
down_read(>mm->mmap_sem);
vma = find_extend_vma(svm->mm, address);
-- 
2.7.4


___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

[PATCH] iommu: use memunmap to free memremap

2018-11-21 Thread Pan Bian 
memunmap() should be used to free the return of memremap(), not
iounmap().

Fixes: dfddb969edf0("iommu/vt-d: Switch from ioremap_cache to memremap")
Signed-off-by: Pan Bian 
---
 drivers/iommu/intel-iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index f3ccf02..41a4b88 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -3075,7 +3075,7 @@ static int copy_context_table(struct intel_iommu *iommu,
}
 
if (old_ce)
-   iounmap(old_ce);
+   memunmap(old_ce);
 
ret = 0;
if (devfn < 0x80)
-- 
2.7.4


___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

[PATCH 1/1] iommu/amd: fix incorrect error handling

2017-04-23 Thread Pan Bian 
From: Pan Bian <bianpan2...@163.com>

In function amd_iommu_bind_pasid(), the control flow jumps to label
out_free when pasid_state->mm and mm is NULL. And mmput(mm) is called.
In function mmput(mm), mm is referenced without validation. This will
result in a NULL dereference bug. This patch fixes the bug.

Signed-off-by: Pan Bian <bianpan2...@163.com>
---
 drivers/iommu/amd_iommu_v2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/amd_iommu_v2.c b/drivers/iommu/amd_iommu_v2.c
index 0633439..6629c47 100644
--- a/drivers/iommu/amd_iommu_v2.c
+++ b/drivers/iommu/amd_iommu_v2.c
@@ -696,9 +696,9 @@ int amd_iommu_bind_pasid(struct pci_dev *pdev, int pasid,
 
 out_unregister:
mmu_notifier_unregister(_state->mn, mm);
+   mmput(mm);
 
 out_free:
-   mmput(mm);
free_pasid_state(pasid_state);
 
 out:
-- 
1.9.1


___
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu