[kernel] Add patch to fix VFIO IOMMU crash (rhbz 998732)

Josh Boyer jwboyer at fedoraproject.org
Wed Oct 9 13:05:11 UTC 2013 

commit 0713af68c631dd1df5715a813a8571c2fb470353
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Wed Oct 9 09:01:38 2013 -0400

    Add patch to fix VFIO IOMMU crash (rhbz 998732)

 kernel.spec                                        |    9 +++++
 ...u-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch |   39 ++++++++++++++++++++
 2 files changed, 48 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 86f4899..97cd6eb 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -744,6 +744,9 @@ Patch25116: rt2800-add-support-for-rf3070.patch
 #rhbz 982153
 Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
 
+#rhbz 998732
+Patch25124: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1446,6 +1449,9 @@ ApplyPatch rt2800-add-support-for-rf3070.patch
 #rhbz 982153
 ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch
 
+#rhbz 998732
+ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2250,6 +2256,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Wed Oct 09 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch to fix VFIO IOMMU crash (rhbz 998732)
+
 * Tue Oct 8  2013 Peter Robinson <pbrobinson at fedoraproject.org>
 - Tiny ARM config update
 
diff --git a/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
new file mode 100644
index 0000000..0b5fa8a
--- /dev/null
+++ b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
@@ -0,0 +1,39 @@
+From: Julian Stecklina <jsteckli at os.info.tu-dresden.de>
+Subject: [PATCH] vfio, iommu: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address limits
+
+The BUG_ON in drivers/iommu/intel-iommu.c:785 can be triggered from userspace via
+VFIO by calling the VFIO_IOMMU_MAP_DMA ioctl on a vfio device with any address
+beyond the addressing capabilities of the IOMMU. The problem is that the ioctl code
+calls iommu_iova_to_phys before it calls iommu_map. iommu_map handles the case that
+it gets addresses beyond the addressing capabilities of its IOMMU.
+intel_iommu_iova_to_phys does not.
+
+This patch fixes iommu_iova_to_phys to return NULL for addresses beyond what the
+IOMMU can handle. This in turn causes the ioctl call to fail in iommu_map and
+(correctly) return EFAULT to the user with a helpful warning message in the kernel
+log.
+
+Signed-off-by: Julian Stecklina <jsteckli at os.inf.tu-dresden.de>
+---
+ drivers/iommu/intel-iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index eec0d3e..61303db 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -782,7 +782,11 @@ static struct dma_pte *pfn_to_dma_pte(struct dmar_domain *domain,
+ 	int offset;
+ 
+ 	BUG_ON(!domain->pgd);
+-	BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width);
++
++	if (addr_width < BITS_PER_LONG && pfn >> addr_width)
++		/* Address beyond IOMMU's addressing capabilities. */
++		return NULL;
++
+ 	parent = domain->pgd;
+ 
+ 	while (level > 0) {
+-- 
+1.8.3.1

More information about the scm-commits mailing list