Re: [RESEND PATCH v8 00/11] Fix BUG_ON in vfio_iommu_group_notifier()
From: Qian Cai
Date: Mon May 02 2022 - 12:12:22 EST
On Mon, Apr 18, 2022 at 08:49:49AM +0800, Lu Baolu wrote:
> Hi Joerg,
>
> This is a resend version of v8 posted here:
> https://lore.kernel.org/linux-iommu/20220308054421.847385-1-baolu.lu@xxxxxxxxxxxxxxx/
> as we discussed in this thread:
> https://lore.kernel.org/linux-iommu/Yk%2Fq1BGN8pC5HVZp@xxxxxxxxxx/
>
> All patches can be applied perfectly except this one:
> - [PATCH v8 02/11] driver core: Add dma_cleanup callback in bus_type
> It conflicts with below refactoring commit:
> - 4b775aaf1ea99 "driver core: Refactor sysfs and drv/bus remove hooks"
> The conflict has been fixed in this post.
>
> No functional changes in this series. I suppress cc-ing this series to
> all v8 reviewers in order to avoid spam.
>
> Please consider it for your iommu tree.
Reverting this series fixed an user-after-free while doing SR-IOV.
BUG: KASAN: use-after-free in __lock_acquire
Read of size 8 at addr ffff080279825d78 by task qemu-system-aar/22429
CPU: 24 PID: 22429 Comm: qemu-system-aar Not tainted 5.18.0-rc5-next-20220502 #69
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
print_address_description.constprop.0
print_report
kasan_report
__asan_report_load8_noabort
__lock_acquire
lock_acquire.part.0
lock_acquire
_raw_spin_lock_irqsave
arm_smmu_detach_dev
arm_smmu_detach_dev at drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:2377
arm_smmu_attach_dev
__iommu_attach_group
__iommu_attach_device at drivers/iommu/iommu.c:1942
(inlined by) iommu_group_do_attach_device at drivers/iommu/iommu.c:2058
(inlined by) __iommu_group_for_each_dev at drivers/iommu/iommu.c:989
(inlined by) __iommu_attach_group at drivers/iommu/iommu.c:2069
iommu_group_release_dma_owner
__vfio_group_unset_container
vfio_group_try_dissolve_container
vfio_group_put_external_user
kvm_vfio_destroy
kvm_destroy_vm
kvm_vm_release
__fput
____fput
task_work_run
do_exit
do_group_exit
get_signal
do_signal
do_notify_resume
el0_svc
el0t_64_sync_handler
el0t_64_sync
Allocated by task 22427:
kasan_save_stack
__kasan_kmalloc
kmem_cache_alloc_trace
arm_smmu_domain_alloc
iommu_domain_alloc
vfio_iommu_type1_attach_group
vfio_ioctl_set_iommu
vfio_fops_unl_ioctl
__arm64_sys_ioctl
invoke_syscall
el0_svc_common.constprop.0
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
Freed by task 22429:
kasan_save_stack
kasan_set_track
kasan_set_free_info
____kasan_slab_free
__kasan_slab_free
slab_free_freelist_hook
kfree
arm_smmu_domain_free
arm_smmu_domain_free at iommu/arm/arm-smmu-v3/arm-smmu-v3.c:2067
iommu_domain_free
vfio_iommu_type1_detach_group
__vfio_group_unset_container
vfio_group_try_dissolve_container
vfio_group_put_external_user
kvm_vfio_destroy
kvm_destroy_vm
kvm_vm_release
__fput
____fput
task_work_run
do_exit
do_group_exit
get_signal
do_signal
do_notify_resume
el0_svc
el0t_64_sync_handler
el0t_64_sync