On Wed, Oct 02, 2024 at 05:06:00PM +0200, Vegard Nossum wrote:
> From: Nicolin Chen <nicolinc@xxxxxxxxxx>
>
> [ Upstream commit cf7c2789822db8b5efa34f5ebcf1621bc0008d48 ]
>
> Syzkaller reported the following bug:
>
> general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
> Call Trace:
> lock_acquire
> lock_acquire+0x1ce/0x4f0
> down_read+0x93/0x4a0
> iommufd_test_syz_conv_iova+0x56/0x1f0
> iommufd_test_access_rw.isra.0+0x2ec/0x390
> iommufd_test+0x1058/0x1e30
> iommufd_fops_ioctl+0x381/0x510
> vfs_ioctl
> __do_sys_ioctl
> __se_sys_ioctl
> __x64_sys_ioctl+0x170/0x1e0
> do_syscall_x64
> do_syscall_64+0x71/0x140
>
> This is because the new iommufd_access_change_ioas() sets access->ioas to
> NULL during its process, so the lock might be gone in a concurrent racing
> context.
>
> Fix this by doing the same access->ioas sanity as iommufd_access_rw() and
> iommufd_access_pin_pages() functions do.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 9227da7816dd ("iommufd: Add iommufd_access_change_ioas(_id) helpers")
> Link: https://lore.kernel.org/r/3f1932acaf1dd494d404c04364d73ce8f57f3e5e.1708636627.git.nicolinc@xxxxxxxxxx
> Reported-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
> Signed-off-by: Nicolin Chen <nicolinc@xxxxxxxxxx>
> Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
> Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
> (cherry picked from commit cf7c2789822db8b5efa34f5ebcf1621bc0008d48)
> [Harshit: CVE-2024-26785; Resolve conflicts due to missing commit:
> bd7a282650b8 ("iommufd: Add iommufd_ctx to iommufd_put_object()") in
> 6.6.y]
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> ---
> drivers/iommu/iommufd/selftest.c | 27 +++++++++++++++++++++------
> 1 file changed, 21 insertions(+), 6 deletions(-)
This is only fixing the test suite and does not effect a
production kernel where this code should not be compiled.
Jason
