BACKPORT: FROMLIST: swiotlb: Convert io_default_tlb_mem to static allocation
Since commit 69031f50 ("swiotlb: Set dev->dma_io_tlb_mem to the swiotlb pool used"), 'struct device' may hold a copy of the global 'io_default_tlb_mem' pointer if the device is using swiotlb for DMA. A subsequent call to swiotlb_exit() will therefore leave dangling pointers behind in these device structures, resulting in KASAN splats such as: | BUG: KASAN: use-after-free in __iommu_dma_unmap_swiotlb+0x64/0xb0 | Read of size 8 at addr ffff8881d7830000 by task swapper/0/0 | | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc3-debug #1 | Hardware name: HP HP Desktop M01-F1xxx/87D6, BIOS F.12 12/17/2020 | Call Trace: | <IRQ> | dump_stack+0x9c/0xcf | print_address_description.constprop.0+0x18/0x130 | kasan_report.cold+0x7f/0x111 | __iommu_dma_unmap_swiotlb+0x64/0xb0 | nvme_pci_complete_rq+0x73/0x130 | blk_complete_reqs+0x6f/0x80 | __do_softirq+0xfc/0x3be Convert 'io_default_tlb_mem' to a static structure, so that the per-device pointers remain valid after swiotlb_exit() has been invoked. All users are updated to reference the static structure directly, using the 'nslabs' field to determine whether swiotlb has been initialised. The 'slots' array is still allocated dynamically and referenced via a pointer rather than a flexible array member. Cc: Claire Chang <tientzu@chromium.org> Cc: Christoph Hellwig <hch@lst.de> Cc: Robin Murphy <robin.murphy@arm.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Fixes: 69031f50 ("swiotlb: Set dev->dma_io_tlb_mem to the swiotlb pool used") Reported-by:Nathan Chancellor <nathan@kernel.org> Tested-by:
Claire Chang <tientzu@chromium.org> Reviewed-by:
Christoph Hellwig <hch@lst.de> Signed-off-by:
Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20210720133826.9075-3-will@kernel.org [willdeacon@: Drop missing context hunk from swiotlb-xen.c] Signed-off-by:
Will Deacon <willdeacon@google.com> Bug: 190591509 Change-Id: Ia8040373d127fde480b10a20f3976e07e5f5fa06
Loading
Please sign in to comment