Commit ccdd96be authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'iommu-fixes-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull IOMMU fixes from Joerg Roedel:
 "Two similar fixes for the Intel and AMD IOMMU drivers to add proper
  access checks before calling handle_mm_fault"

* tag 'iommu-fixes-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/vt-d: Do access checks before calling handle_mm_fault()
  iommu/amd: Do proper access checking before calling handle_mm_fault()
parents 3273cba1 7f8312a3
...@@ -494,6 +494,22 @@ static void handle_fault_error(struct fault *fault) ...@@ -494,6 +494,22 @@ static void handle_fault_error(struct fault *fault)
} }
} }
static bool access_error(struct vm_area_struct *vma, struct fault *fault)
{
unsigned long requested = 0;
if (fault->flags & PPR_FAULT_EXEC)
requested |= VM_EXEC;
if (fault->flags & PPR_FAULT_READ)
requested |= VM_READ;
if (fault->flags & PPR_FAULT_WRITE)
requested |= VM_WRITE;
return (requested & ~vma->vm_flags) != 0;
}
static void do_fault(struct work_struct *work) static void do_fault(struct work_struct *work)
{ {
struct fault *fault = container_of(work, struct fault, work); struct fault *fault = container_of(work, struct fault, work);
...@@ -516,8 +532,8 @@ static void do_fault(struct work_struct *work) ...@@ -516,8 +532,8 @@ static void do_fault(struct work_struct *work)
goto out; goto out;
} }
if (!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE))) { /* Check if we have the right permissions on the vma */
/* handle_mm_fault would BUG_ON() */ if (access_error(vma, fault)) {
up_read(&mm->mmap_sem); up_read(&mm->mmap_sem);
handle_fault_error(fault); handle_fault_error(fault);
goto out; goto out;
......
...@@ -484,6 +484,23 @@ struct page_req_dsc { ...@@ -484,6 +484,23 @@ struct page_req_dsc {
}; };
#define PRQ_RING_MASK ((0x1000 << PRQ_ORDER) - 0x10) #define PRQ_RING_MASK ((0x1000 << PRQ_ORDER) - 0x10)
static bool access_error(struct vm_area_struct *vma, struct page_req_dsc *req)
{
unsigned long requested = 0;
if (req->exe_req)
requested |= VM_EXEC;
if (req->rd_req)
requested |= VM_READ;
if (req->wr_req)
requested |= VM_WRITE;
return (requested & ~vma->vm_flags) != 0;
}
static irqreturn_t prq_event_thread(int irq, void *d) static irqreturn_t prq_event_thread(int irq, void *d)
{ {
struct intel_iommu *iommu = d; struct intel_iommu *iommu = d;
...@@ -539,6 +556,9 @@ static irqreturn_t prq_event_thread(int irq, void *d) ...@@ -539,6 +556,9 @@ static irqreturn_t prq_event_thread(int irq, void *d)
if (!vma || address < vma->vm_start) if (!vma || address < vma->vm_start)
goto invalid; goto invalid;
if (access_error(vma, req))
goto invalid;
ret = handle_mm_fault(svm->mm, vma, address, ret = handle_mm_fault(svm->mm, vma, address,
req->wr_req ? FAULT_FLAG_WRITE : 0); req->wr_req ? FAULT_FLAG_WRITE : 0);
if (ret & VM_FAULT_ERROR) if (ret & VM_FAULT_ERROR)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment