Commit bf67aa66 authored by leoliu-oc's avatar leoliu-oc
Browse files

iommu/dma: Fix not fully traversing iova reservations issue 

zhaoxin inclusion
category: other
bugzilla: https://gitee.com/openeuler/kernel/issues/I99EUU


CVE: NA

-----------------

For multiple devices in the same iommu group, sorted later devices (based
on Bus:Dev.Func) have the RMRR.

Sorted earlier device (without RMRR) initialized the iova domain causing
the sorted later device goto done_unlock.

Then, the sorted later device (with RMRR) cannot execute the
iova_reserve_iommu_regions to reserve the RMRR in the group's iova domain,
and other devices (in the same group) alloc iova in RMRR are permitted.

DMA iova addresses conflict with RMRR in this case.

There is a need to make sure all devices of the same group execute reserve
iova.

Substitute iova_reserve_iommu_regions with iova_reserve_pci_regions
(reserved PCI window)and iova_reserve_iommu_regions(reserved resv-region,
like RMRR and msi range). And then, goto iova_reserve_iommu_regions could
avoid the problem when if (iovad->start_pfn) is true.

Signed-off-by: default avatarleoliu-oc <leoliu-oc@zhaoxin.com>
parent 1087e901

drivers/iommu/dma-iommu.c

+19 −7
Original line number Diff line number Diff line
@@ -571,21 +571,28 @@ static int iova_reserve_pci_windows(struct pci_dev *dev, 
	return 0;

}



static int iova_reserve_iommu_regions(struct device *dev,

static int iova_reserve_pci_regions(struct device *dev,

		struct iommu_domain *domain)

{

	struct iommu_dma_cookie *cookie = domain->iova_cookie;

	struct iova_domain *iovad = &cookie->iovad;

	struct iommu_resv_region *region;

	LIST_HEAD(resv_regions);

	int ret = 0;



	if (dev_is_pci(dev)) {

	if (dev_is_pci(dev))

		ret = iova_reserve_pci_windows(to_pci_dev(dev), iovad);

		if (ret)



	return ret;

}



static int iova_reserve_iommu_regions(struct device *dev,

		struct iommu_domain *domain)

{

	struct iommu_dma_cookie *cookie = domain->iova_cookie;

	struct iova_domain *iovad = &cookie->iovad;

	struct iommu_resv_region *region;

	LIST_HEAD(resv_regions);

	int ret = 0;



	iommu_get_resv_regions(dev, &resv_regions);

	list_for_each_entry(region, &resv_regions, list) {

		unsigned long lo, hi;
@@ -722,7 +729,7 @@ static int iommu_dma_init_domain(struct iommu_domain *domain, dma_addr_t base, 
		}



		ret = 0;

		goto done_unlock;

		goto iova_reserve_iommu;

	}



	init_iova_domain(iovad, 1UL << order, base_pfn);
@@ -737,6 +744,11 @@ static int iommu_dma_init_domain(struct iommu_domain *domain, dma_addr_t base, 
	    (!device_iommu_capable(dev, IOMMU_CAP_DEFERRED_FLUSH) || iommu_dma_init_fq(domain)))

		domain->type = IOMMU_DOMAIN_DMA;



	ret = iova_reserve_pci_regions(dev, domain);

	if (ret)

		goto done_unlock;



iova_reserve_iommu:

	ret = iova_reserve_iommu_regions(dev, domain);



done_unlock: