Skip to content

mm: Fix PASID use-after-free issue

Jerry Snitselaar requested to merge jsnitsel/centos-stream-9:rhel9-mm-pasid-fix into main

Summary of Changes

mm: Fix PASID use-after-free issue

Bugzilla: https://bugzilla.redhat.com/2113044
Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Tested: Tested running dsa_user_test_runner on SPR system. Working on trying to come
        come with a producer for having an outstanding request during file->release().

commit 2667ed10d9f01e250ba806276740782c89d77fda
Author: Fenghua Yu <fenghua.yu@intel.com>
Date:   Thu Apr 28 11:00:41 2022 -0700

    mm: Fix PASID use-after-free issue

    The PASID is being freed too early.  It needs to stay around until after
    device drivers that might be using it have had a chance to clear it out
    of the hardware.

    The relevant refcounts are:

      mmget() /mmput()  refcount the mm's address space
      mmgrab()/mmdrop() refcount the mm itself

    The PASID is currently tied to the life of the mm's address space and freed
    in __mmput().  This makes logical sense because the PASID can't be used
    once the address space is gone.

    But, this misses an important point: even after the address space is gone,
    the PASID will still be programmed into a device.  Device drivers might,
    for instance, still need to flush operations that are outstanding and need
    to use that PASID.  They do this at file->release() time.

    Device drivers call the IOMMU driver to hold a reference on the mm itself
    and drop it at file->release() time.  But, the IOMMU driver holds a
    reference on the mm itself, not the address space.  The address space (and
    the PASID) is long gone by the time the driver tries to clean up.  This is
    effectively a use-after-free bug on the PASID.

    To fix this, move the PASID free operation from __mmput() to __mmdrop().
    This ensures that the IOMMU driver's existing mmgrab() keeps the PASID
    allocated until it drops its mm reference.

    Fixes: 701fac40384f ("iommu/sva: Assign a PASID to mm on PASID allocation and free it on mm exit")
    Reported-by: Zhangfei Gao <zhangfei.gao@foxmail.com>
    Suggested-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
    Suggested-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
    Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Tested-by: Zhangfei Gao <zhangfei.gao@foxmail.com>
    Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
    Link: https://lore.kernel.org/r/20220428180041.806809-1-fenghua.yu@intel.com

(cherry picked from commit 2667ed10d9f01e250ba806276740782c89d77fda)

Signed-off-by: Jerry Snitselaar jsnitsel@redhat.com

Edited by Jerry Snitselaar

Merge request reports