[kernel/f19] Add patch to fix VFIO IOMMU crash (rhbz 998732)

Josh Boyer jwboyer at fedoraproject.org
Wed Oct 9 13:05:01 UTC 2013 

commit 2094dd65dfe07b71fa5f61cc7b3aa811663a3286
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Wed Oct 9 09:01:38 2013 -0400

    Add patch to fix VFIO IOMMU crash (rhbz 998732)

 kernel.spec                                        |    9 +++++
 ...u-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch |   39 ++++++++++++++++++++
 2 files changed, 48 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index e1ce981..7b46277 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -772,6 +772,9 @@ Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
 #rhbz 1015920
 Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch
 
+#rhbz 998732
+Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1492,6 +1495,9 @@ ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
 #rhbz 1015920
 ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch
 
+#rhbz 998732
+ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2304,6 +2310,9 @@ fi
 # and build.
 
 %changelog
+* Wed Oct 09 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch to fix VFIO IOMMU crash (rhbz 998732)
+
 * Tue Oct 08 2013 Josh Boyer <jwboyer at fedoraproject.org>
 - Add patch to fix nouveau crash (rhbz 1015920)
 - Quiet irq remapping stack trace (rhbz 982153)
diff --git a/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
new file mode 100644
index 0000000..0b5fa8a
--- /dev/null
+++ b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
@@ -0,0 +1,39 @@
+From: Julian Stecklina <jsteckli at os.info.tu-dresden.de>
+Subject: [PATCH] vfio, iommu: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address limits
+
+The BUG_ON in drivers/iommu/intel-iommu.c:785 can be triggered from userspace via
+VFIO by calling the VFIO_IOMMU_MAP_DMA ioctl on a vfio device with any address
+beyond the addressing capabilities of the IOMMU. The problem is that the ioctl code
+calls iommu_iova_to_phys before it calls iommu_map. iommu_map handles the case that
+it gets addresses beyond the addressing capabilities of its IOMMU.
+intel_iommu_iova_to_phys does not.
+
+This patch fixes iommu_iova_to_phys to return NULL for addresses beyond what the
+IOMMU can handle. This in turn causes the ioctl call to fail in iommu_map and
+(correctly) return EFAULT to the user with a helpful warning message in the kernel
+log.
+
+Signed-off-by: Julian Stecklina <jsteckli at os.inf.tu-dresden.de>
+---
+ drivers/iommu/intel-iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index eec0d3e..61303db 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -782,7 +782,11 @@ static struct dma_pte *pfn_to_dma_pte(struct dmar_domain *domain,
+ 	int offset;
+ 
+ 	BUG_ON(!domain->pgd);
+-	BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width);
++
++	if (addr_width < BITS_PER_LONG && pfn >> addr_width)
++		/* Address beyond IOMMU's addressing capabilities. */
++		return NULL;
++
+ 	parent = domain->pgd;
+ 
+ 	while (level > 0) {
+-- 
+1.8.3.1

More information about the scm-commits mailing list