From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 14:30:47 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.4.293~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=20922197d72530a8ee3a92f5371eecbf8d4c3b15;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: iommu-handle-race-with-default-domain-setup.patch --- diff --git a/queue-6.6/iommu-handle-race-with-default-domain-setup.patch b/queue-6.6/iommu-handle-race-with-default-domain-setup.patch new file mode 100644 index 0000000000..0aa53a17c5 --- /dev/null +++ b/queue-6.6/iommu-handle-race-with-default-domain-setup.patch @@ -0,0 +1,70 @@ +From b46064a18810bad3aea089a79993ca5ea7a3d2b2 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Fri, 28 Feb 2025 15:46:30 +0000 +Subject: iommu: Handle race with default domain setup + +From: Robin Murphy + +commit b46064a18810bad3aea089a79993ca5ea7a3d2b2 upstream. + +It turns out that deferred default domain creation leaves a subtle +race window during iommu_device_register() wherein a client driver may +asynchronously probe in parallel and get as far as performing DMA API +operations with dma-direct, only to be switched to iommu-dma underfoot +once the default domain attachment finally happens, with obviously +disastrous consequences. Even the wonky of_iommu_configure() path is at +risk, since iommu_fwspec_init() will no longer defer client probe as the +instance ops are (necessarily) already registered, and the "replay" +iommu_probe_device() call can see dev->iommu_group already set and so +think there's nothing to do either. + +Fortunately we already have the right tool in the right place in the +form of iommu_device_use_default_domain(), which just needs to ensure +that said default domain is actually ready to *be* used. Deferring the +client probe shouldn't have too much impact, given that this only +happens while the IOMMU driver is probing, and thus due to kick the +deferred probe list again once it finishes. + +Reported-by: Charan Teja Kalla +Fixes: 98ac73f99bc4 ("iommu: Require a default_domain for all iommu drivers") +Reviewed-by: Jason Gunthorpe +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/e88b94c9b575034a2c98a48b3d383654cbda7902.1740753261.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommu.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/iommu/iommu.c ++++ b/drivers/iommu/iommu.c +@@ -566,6 +566,17 @@ int iommu_probe_device(struct device *de + mutex_lock(&iommu_probe_device_lock); + ret = __iommu_probe_device(dev, NULL); + mutex_unlock(&iommu_probe_device_lock); ++ ++ /* ++ * The dma_configure replay paths need bus_iommu_probe() to ++ * finish before they can call arch_setup_dma_ops() ++ */ ++ if (IS_ENABLED(CONFIG_IOMMU_DMA) && !ret && dev->iommu_group) { ++ mutex_lock(&dev->iommu_group->mutex); ++ if (!dev->iommu_group->default_domain) ++ ret = -EPROBE_DEFER; ++ mutex_unlock(&dev->iommu_group->mutex); ++ } + if (ret) + return ret; + +@@ -3149,6 +3160,11 @@ int iommu_device_use_default_domain(stru + return 0; + + mutex_lock(&group->mutex); ++ /* We may race against bus_iommu_probe() finalising groups here */ ++ if (IS_ENABLED(CONFIG_IOMMU_DMA) && !group->default_domain) { ++ ret = -EPROBE_DEFER; ++ goto unlock_out; ++ } + if (group->owner_cnt) { + if (group->owner || !iommu_is_default_domain(group) || + !xa_empty(&group->pasid_array)) { diff --git a/queue-6.6/series b/queue-6.6/series index fb383139d4..d55d134480 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -197,3 +197,4 @@ net-dsa-mv88e6xxx-fix-atu_move_port_mask-for-6341-family.patch net-dsa-mv88e6xxx-enable-pvt-for-6321-switch.patch net-dsa-mv88e6xxx-enable-.port_set_policy-for-6320-family.patch net-dsa-mv88e6xxx-enable-stu-methods-for-6320-family.patch +iommu-handle-race-with-default-domain-setup.patch