The valid range of 'did' in get_iommu_domain(*iommu, did)
is 0..cap_ndoms(iommu->cap), so don't exceed that
range in free_all_cpu_cached_iovas().
The user-visible impact of the out-of-bounds access is the machine
hanging on suspend-to-ram. It is, in fact, a kernel panic, but due
to already suspended devices, that's often not visible to the user.
Fixes: 22e2f9fa63b0 ("iommu/vt-d: Use per-cpu IOVA caching")
Signed-off-by: Jan Niehusmann <jan@xxxxxxxxxx>
Tested-By: Marius Vlad <marius.c.vlad@xxxxxxxxx>
---
Added some details and Tested-By to the commit message. Patch is unchanged.
Posted to intel-gfx@xxxxxxxxxxxxxxxxxxxxx and iommu@xxxxxxxxxxxxxxxxxxxxxxxxxx
where the issue was discussed.
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index a644d0c..82989d4 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -4600,7 +4600,7 @@ static void free_all_cpu_cached_iovas(unsigned int cpu)
if (!iommu)
continue;
- for (did = 0; did < 0xffff; did++) {
+ for (did = 0; did < cap_ndoms(iommu->cap); did++) {
domain = get_iommu_domain(iommu, did);
if (!domain)
--
2.1.4
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
