This is a note to let you know that I've just added the patch titled
iommu/dma: Fix iova map result check bug
to the 5.17-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
iommu-dma-fix-iova-map-result-check-bug.patch
and it can be found in the queue-5.17 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From a3884774d731f03d3a3dd4fb70ec2d9341ceb39d Mon Sep 17 00:00:00 2001
From: Yunfei Wang <yf.wang@xxxxxxxxxxxx>
Date: Sat, 7 May 2022 16:52:03 +0800
Subject: iommu/dma: Fix iova map result check bug
From: Yunfei Wang <yf.wang@xxxxxxxxxxxx>
commit a3884774d731f03d3a3dd4fb70ec2d9341ceb39d upstream.
The data type of the return value of the iommu_map_sg_atomic
is ssize_t, but the data type of iova size is size_t,
e.g. one is int while the other is unsigned int.
When iommu_map_sg_atomic return value is compared with iova size,
it will force the signed int to be converted to unsigned int, if
iova map fails and iommu_map_sg_atomic return error code is less
than 0, then (ret < iova_len) is false, which will to cause not
do free iova, and the master can still successfully get the iova
of map fail, which is not expected.
Therefore, we need to check the return value of iommu_map_sg_atomic
in two cases according to whether it is less than 0.
Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
Signed-off-by: Yunfei Wang <yf.wang@xxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx> # 5.15.*
Reviewed-by: Robin Murphy <robin.murphy@xxxxxxx>
Reviewed-by: Miles Chen <miles.chen@xxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20220507085204.16914-1-yf.wang@xxxxxxxxxxxx
Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/iommu/dma-iommu.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -772,6 +772,7 @@ static struct page **__iommu_dma_alloc_n
unsigned int count, min_size, alloc_sizes = domain->pgsize_bitmap;
struct page **pages;
dma_addr_t iova;
+ ssize_t ret;
if (static_branch_unlikely(&iommu_deferred_attach_enabled) &&
iommu_deferred_attach(dev, domain))
@@ -809,8 +810,8 @@ static struct page **__iommu_dma_alloc_n
arch_dma_prep_coherent(sg_page(sg), sg->length);
}
- if (iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot)
- < size)
+ ret = iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot);
+ if (ret < 0 || ret < size)
goto out_free_sg;
sgt->sgl->dma_address = iova;
@@ -1207,7 +1208,7 @@ static int iommu_dma_map_sg(struct devic
* implementation - it knows better than we do.
*/
ret = iommu_map_sg_atomic(domain, iova, sg, nents, prot);
- if (ret < iova_len)
+ if (ret < 0 || ret < iova_len)
goto out_free_iova;
return __finalise_sg(dev, sg, nents, iova);
Patches currently in stable-queue which might be from yf.wang@xxxxxxxxxxxx are
queue-5.17/iommu-dma-fix-iova-map-result-check-bug.patch
queue-5.17/iommu-mediatek-add-mutex-for-m4u_group-and-m4u_dom-i.patch
