From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 29 Mar 2024 10:26:04 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.7.12~174
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2c8143086c54167fecffb859204d810942e60740;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	iommu-avoid-races-around-default-domain-allocations.patch
---

diff --git a/queue-6.1/iommu-avoid-races-around-default-domain-allocations.patch b/queue-6.1/iommu-avoid-races-around-default-domain-allocations.patch
new file mode 100644
index 00000000000..21ea209fa25
--- /dev/null
+++ b/queue-6.1/iommu-avoid-races-around-default-domain-allocations.patch
@@ -0,0 +1,78 @@
+From quic_nprakash@quicinc.com  Fri Mar 29 11:20:13 2024
+From: Nikhil V <quic_nprakash@quicinc.com>
+Date: Mon, 4 Mar 2024 16:40:50 +0530
+Subject: iommu: Avoid races around default domain allocations
+To: 
+Cc: Charan Teja Kalla <quic_charante@quicinc.com>, Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>, <linux-kernel@vger.kernel.org>, <iommu@lists.linux.dev>, Nikhil V <quic_nprakash@quicinc.com>, <stable@vger.kernel.org>
+Message-ID: <cbf1295589bd90083ad6f75a7fbced01f327c047.1708680521.git.quic_nprakash@quicinc.com>
+
+From: Charan Teja Kalla <quic_charante@quicinc.com>
+
+This fix is applicable for LTS kernel, 6.1.y. In latest kernels, this race
+issue is fixed by the patch series [1] and [2]. The right thing to do here
+would have been propagating these changes from latest kernel to the stable
+branch, 6.1.y. However, these changes seems too intrusive to be picked for
+stable branches. Hence, the fix proposed can be taken as an alternative
+instead of backporting the patch series.
+[1] https://lore.kernel.org/all/0-v8-81230027b2fa+9d-iommu_all_defdom_jgg@nvidia.com/
+[2] https://lore.kernel.org/all/0-v5-1b99ae392328+44574-iommu_err_unwind_jgg@nvidia.com/
+
+Issue:
+A race condition is observed when arm_smmu_device_probe and
+modprobe of client devices happens in parallel. This results
+in the allocation of a new default domain for the iommu group
+even though it was previously allocated and the respective iova
+domain(iovad) was initialized. However, for this newly allocated
+default domain, iovad will not be initialized. As a result, for
+devices requesting dma allocations, this uninitialized iovad will
+be used, thereby causing NULL pointer dereference issue.
+
+Flow:
+- During arm_smmu_device_probe, bus_iommu_probe() will be called
+as part of iommu_device_register(). This results in the device probe,
+__iommu_probe_device().
+
+- When the modprobe of the client device happens in parallel, it
+sets up the DMA configuration for the device using of_dma_configure_id(),
+which inturn calls iommu_probe_device(). Later, default domain is
+allocated and attached using iommu_alloc_default_domain() and
+__iommu_attach_device() respectively. It then ends up initializing a
+mapping domain(IOVA domain) and rcaches for the device via
+arch_setup_dma_ops()->iommu_setup_dma_ops().
+
+- Now, in the bus_iommu_probe() path, it again tries to allocate
+a default domain via probe_alloc_default_domain(). This results in
+allocating a new default domain(along with IOVA domain) via
+__iommu_domain_alloc(). However, this newly allocated IOVA domain
+will not be initialized.
+
+- Now, when the same client device tries dma allocations via
+iommu_dma_alloc(), it ends up accessing the rcaches of the newly
+allocated IOVA domain, which is not initialized. This results
+into NULL pointer dereferencing.
+
+Fix this issue by adding a check in probe_alloc_default_domain()
+to see if the iommu_group already has a default domain allocated
+and initialized.
+
+Cc: <stable@vger.kernel.org> # see patch description, fix applicable only for 6.1.y
+Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
+Co-developed-by: Nikhil V <quic_nprakash@quicinc.com>
+Signed-off-by: Nikhil V <quic_nprakash@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommu.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -1741,6 +1741,9 @@ static void probe_alloc_default_domain(s
+ {
+ 	struct __group_domain_type gtype;
+ 
++	if (group->default_domain)
++		return;
++
+ 	memset(&gtype, 0, sizeof(gtype));
+ 
+ 	/* Ask for default domain requirements of all devices in the group */
diff --git a/queue-6.1/series b/queue-6.1/series
index 51d74903baf..7d3e6722981 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -177,3 +177,4 @@ drm-amd-display-handle-range-offsets-in-vrr-ranges.patch
 x86-efistub-call-mixed-mode-boot-services-on-the-firmware-s-stack.patch
 net-tls-handle-backlogging-of-crypto-requests.patch
 asoc-amd-yc-revert-fix-non-functional-mic-on-lenovo-21j2.patch
+iommu-avoid-races-around-default-domain-allocations.patch