[lvc-project] [PATCH] iommu: fix crash in report_iommu_fault()
Tian, Kevin
kevin.tian at intel.com
Thu Apr 10 08:21:21 MSK 2025
> From: Fedor Pchelkin <pchelkin at ispras.ru>
> Sent: Wednesday, April 9, 2025 5:34 AM
>
> The following crash is observed while handling an IOMMU fault with a
> recent kernel:
>
> kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> BUG: unable to handle page fault for address: ffff8c708299f700
> PGD 19ee01067 P4D 19ee01067 PUD 101c10063 PMD 80000001028001e3
> Oops: Oops: 0011 [#1] SMP NOPTI
> CPU: 4 UID: 0 PID: 139 Comm: irq/25-AMD-Vi Not tainted 6.15.0-rc1+ #20
> PREEMPT(lazy)
> Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN50WW 09/27/2024
> RIP: 0010:0xffff8c708299f700
> Call Trace:
> <TASK>
> ? report_iommu_fault+0x78/0xd3
> ? amd_iommu_report_page_fault+0x91/0x150
> ? amd_iommu_int_thread+0x77/0x180
> ? __pfx_irq_thread_fn+0x10/0x10
> ? irq_thread_fn+0x23/0x60
> ? irq_thread+0xf9/0x1e0
> ? __pfx_irq_thread_dtor+0x10/0x10
> ? __pfx_irq_thread+0x10/0x10
> ? kthread+0xfc/0x240
> ? __pfx_kthread+0x10/0x10
> ? ret_from_fork+0x34/0x50
> ? __pfx_kthread+0x10/0x10
> ? ret_from_fork_asm+0x1a/0x30
> </TASK>
>
> report_iommu_fault() checks for an installed handler comparing the
> corresponding field to NULL. It can (and could before) be called for a
> domain with a different cookie type - IOMMU_COOKIE_DMA_IOVA,
> specifically.
> Cookie is represented as a union so we may end up with a garbage value
> treated there if this happens for a domain with another cookie type.
>
> Formerly there were two exclusive cookie types in the union.
> IOMMU_DOMAIN_SVA has a dedicated iommu_report_device_fault().
>
> Call the fault handler only if the passed domain has a required cookie
> type.
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: 6aa63a4ec947 ("iommu: Sort out domain user data")
> Signed-off-by: Fedor Pchelkin <pchelkin at ispras.ru>
Reviewed-by: Kevin Tian <kevin.tian at intel.com>
More information about the lvc-project
mailing list