Patch "iommu: Validate the PASID in iommu_attach_device_pasid()" has been added to the 6.8-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 3 Apr 2024 12:02:59 -0400

This is a note to let you know that I've just added the patch titled

    iommu: Validate the PASID in iommu_attach_device_pasid()

to the 6.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommu-validate-the-pasid-in-iommu_attach_device_pasi.patch
and it can be found in the queue-6.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a6a2017f3d361984fd2d39fade2be5d417dddf6c
Author: Jason Gunthorpe <jgg@xxxxxxxx>
Date:   Wed Mar 27 10:41:39 2024 -0300

    iommu: Validate the PASID in iommu_attach_device_pasid()
    
    [ Upstream commit c404f55c26fc23c70a9f2262f3f36a69fc46289b ]
    
    The SVA code checks that the PASID is valid for the device when assigning
    the PASID to the MM, but the normal PAGING related path does not check it.
    
    Devices that don't support PASID or PASID values too large for the device
    should not invoke the driver callback. The drivers should rely on the
    core code for this enforcement.
    
    Fixes: 16603704559c7a68 ("iommu: Add attach/detach_dev_pasid iommu interfaces")
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Reviewed-by: Yi Liu <yi.l.liu@xxxxxxxxx>
    Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
    Link: https://lore.kernel.org/r/0-v1-460705442b30+659-iommu_check_pasid_jgg@xxxxxxxxxx
    Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index cd1210026ac53..ad33161f2374b 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -3547,6 +3547,7 @@ int iommu_attach_device_pasid(struct iommu_domain *domain,
 {
 	/* Caller must be a probed driver on dev */
 	struct iommu_group *group = dev->iommu_group;
+	struct group_device *device;
 	void *curr;
 	int ret;
 
@@ -3556,10 +3557,18 @@ int iommu_attach_device_pasid(struct iommu_domain *domain,
 	if (!group)
 		return -ENODEV;
 
-	if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner)
+	if (!dev_has_iommu(dev) || dev_iommu_ops(dev) != domain->owner ||
+	    pasid == IOMMU_NO_PASID)
 		return -EINVAL;
 
 	mutex_lock(&group->mutex);
+	for_each_group_device(group, device) {
+		if (pasid >= device->dev->iommu->max_pasids) {
+			ret = -EINVAL;
+			goto out_unlock;
+		}
+	}
+
 	curr = xa_cmpxchg(&group->pasid_array, pasid, NULL, domain, GFP_KERNEL);
 	if (curr) {
 		ret = xa_err(curr) ? : -EBUSY;







