Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp5902169pxb;
        Thu, 20 Jan 2022 06:54:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwsosKQzlc642+Aq4yMQWzM2yB7gMRamlXp8gFLsQXO7GFD57f/k7eL5Tz1x+XfSwnkmdjb
X-Received: by 2002:a17:902:7c93:b0:14a:ec87:5044 with SMTP id y19-20020a1709027c9300b0014aec875044mr10698783pll.31.1642690483124;
        Thu, 20 Jan 2022 06:54:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642690483; cv=none;
        d=google.com; s=arc-20160816;
        b=DP4sYxKeq2WFKX8AAYp7Wk3/z46qKa1p/mHBlP9zcz6wk7NIfoTs5fhWxRGhbQv8ca
         LS11cjXaxLWTLvfxstdnNebaI8ERNx53UPxX87lJkTIoZnr13zypw42TsOZgulX+lGdb
         LFA67vbUolbA7Ezec7fiOre8DtnjGRrzRGZRAOLkGSVw4+qu6AtpUecbnstRYzaJXnH1
         aDpGqjLPSQlE+a2Y4Plh7r420b0HQkuBauPP0EAD+7XdUd3i7SPRWBH83Erz5BPPwzPz
         W/Qb1GLCr1/TdzNucUYLAXvUwcgwlBjJNUK1EBmofU3duIDBeoz2GYshDTVPX+ROZx1d
         IhWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dmarc-filter:sender:dkim-signature;
        bh=kZDrU8Dg8Jr5jR4QX28dOeZKIG/4+04z5OJQI5wFtME=;
        b=vkWpcUHRoJW6YEwaSoDUaSh++DkkMpCw3HAQTFsAs1VfhwjHKlkP/1blCHMymLL1mo
         9PGsY+IL7nHBSEpm+0VTQDyOojX87EL3QF/Y4G923/oTBHLMmuSoDiAlOShyh1d/K47l
         ncCSeWFDJGGW7TdaoKo4yad5Dxr8tBtvf6eBJPHyif2xd9y5O//o6hOBP0xz8gZPlSxp
         dKi1S8Gnb3d4kh8yX4jwwFhsSmV1wwVH903utXT+0yB+rqSI5VHbG0WX2Rii0lXtmOqO
         6fFEYZmw4VDmSHFuNxSZoOVK92tDhCaZVyNCCRmmqVH9hW/1TCL0LxdjavqgVLM7QeqO
         TuQg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=FHyR6EPQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t124si71800pgb.828.2022.01.20.06.54.31;
        Thu, 20 Jan 2022 06:54:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=FHyR6EPQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346055AbiARP6H (ORCPT <rfc822;stevenley.huang@gmail.com>
        + 99 others); Tue, 18 Jan 2022 10:58:07 -0500
Received: from so254-9.mailgun.net ([198.61.254.9]:23183 "EHLO
        so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230519AbiARP6G (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Jan 2022 10:58:06 -0500
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1642521485; h=Content-Transfer-Encoding: Content-Type:
 In-Reply-To: MIME-Version: Date: Message-ID: From: References: Cc: To:
 Subject: Sender; bh=kZDrU8Dg8Jr5jR4QX28dOeZKIG/4+04z5OJQI5wFtME=; b=FHyR6EPQkI8ZMAstIG0CEJ/Z7O+CioPAUnJelfDYPY7XtwuhO5p8RwVMeOH+JIPPg4pzE+WY
 6uLeiSyqefkihgVJ5tCI5mLKoHL9bV2Z68gavU/jxeCeQt0AwPXTZiDSc+NL9e8+FFDymiE0
 8nie7gALlrkZUrqvuhrJb6y0rZ4=
X-Mailgun-Sending-Ip: 198.61.254.9
X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd
Received: from smtp.codeaurora.org
 (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
 smtp-out-n03.prod.us-east-1.postgun.com with SMTP id
 61e6e38d6189a19cb208f0b4 (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 18 Jan 2022 15:58:05
 GMT
Sender: quic_vjitta=quicinc.com@mg.codeaurora.org
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id 51F12C4360C; Tue, 18 Jan 2022 15:58:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        NICE_REPLY_A,SPF_FAIL,URIBL_BLOCKED autolearn=no autolearn_force=no
        version=3.4.0
Received: from [192.168.0.100] (unknown [103.164.200.225])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: vjitta)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id 4D678C4338F;
        Tue, 18 Jan 2022 15:57:59 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org 4D678C4338F
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=fail (p=none dis=none) header.from=quicinc.com
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=quicinc.com
Subject: Re: [PATCH v3] iommu: Fix potential use-after-free during probe
To:     Robin Murphy <robin.murphy@arm.com>,
        Vijayanand Jitta <quic_vjitta@quicinc.com>, joro@8bytes.org,
        will@kernel.org, iommu@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org
Cc:     kernel-team@android.com
References: <1641993184-1232-1-git-send-email-quic_vjitta@quicinc.com>
 <9913d026-fddd-c188-0873-0f7a66fb2c3c@arm.com>
From:   Vijayanand Jitta <quic_vjitta@quicinc.com>
Message-ID: <5f923b2d-645c-a7df-e16b-e8526015db32@quicinc.com>
Date:   Tue, 18 Jan 2022 21:27:39 +0530
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <9913d026-fddd-c188-0873-0f7a66fb2c3c@arm.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 1/18/2022 7:19 PM, Robin Murphy wrote:
> On 2022-01-12 13:13, Vijayanand Jitta wrote:
>> Kasan has reported the following use after free on dev->iommu.
>> when a device probe fails and it is in process of freeing dev->iommu
>> in dev_iommu_free function, a deferred_probe_work_func runs in parallel
>> and tries to access dev->iommu->fwspec in of_iommu_configure path thus
>> causing use after free.
>>
>> BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4
>> Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153
>>
>> Workqueue: events_unbound deferred_probe_work_func
>> Call trace:
>>   dump_backtrace+0x0/0x33c
>>   show_stack+0x18/0x24
>>   dump_stack_lvl+0x16c/0x1e0
>>   print_address_description+0x84/0x39c
>>   __kasan_report+0x184/0x308
>>   kasan_report+0x50/0x78
>>   __asan_load8+0xc0/0xc4
>>   of_iommu_configure+0xb4/0x4a4
>>   of_dma_configure_id+0x2fc/0x4d4
>>   platform_dma_configure+0x40/0x5c
>>   really_probe+0x1b4/0xb74
>>   driver_probe_device+0x11c/0x228
>>   __device_attach_driver+0x14c/0x304
>>   bus_for_each_drv+0x124/0x1b0
>>   __device_attach+0x25c/0x334
>>   device_initial_probe+0x24/0x34
>>   bus_probe_device+0x78/0x134
>>   deferred_probe_work_func+0x130/0x1a8
>>   process_one_work+0x4c8/0x970
>>   worker_thread+0x5c8/0xaec
>>   kthread+0x1f8/0x220
>>   ret_from_fork+0x10/0x18
>>
>> Allocated by task 1:
>>   ____kasan_kmalloc+0xd4/0x114
>>   __kasan_kmalloc+0x10/0x1c
>>   kmem_cache_alloc_trace+0xe4/0x3d4
>>   __iommu_probe_device+0x90/0x394
>>   probe_iommu_group+0x70/0x9c
>>   bus_for_each_dev+0x11c/0x19c
>>   bus_iommu_probe+0xb8/0x7d4
>>   bus_set_iommu+0xcc/0x13c
>>   arm_smmu_bus_init+0x44/0x130 [arm_smmu]
>>   arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
>>   platform_drv_probe+0xe4/0x13c
>>   really_probe+0x2c8/0xb74
>>   driver_probe_device+0x11c/0x228
>>   device_driver_attach+0xf0/0x16c
>>   __driver_attach+0x80/0x320
>>   bus_for_each_dev+0x11c/0x19c
>>   driver_attach+0x38/0x48
>>   bus_add_driver+0x1dc/0x3a4
>>   driver_register+0x18c/0x244
>>   __platform_driver_register+0x88/0x9c
>>   init_module+0x64/0xff4 [arm_smmu]
>>   do_one_initcall+0x17c/0x2f0
>>   do_init_module+0xe8/0x378
>>   load_module+0x3f80/0x4a40
>>   __se_sys_finit_module+0x1a0/0x1e4
>>   __arm64_sys_finit_module+0x44/0x58
>>   el0_svc_common+0x100/0x264
>>   do_el0_svc+0x38/0xa4
>>   el0_svc+0x20/0x30
>>   el0_sync_handler+0x68/0xac
>>   el0_sync+0x160/0x180
>>
>> Freed by task 1:
>>   kasan_set_track+0x4c/0x84
>>   kasan_set_free_info+0x28/0x4c
>>   ____kasan_slab_free+0x120/0x15c
>>   __kasan_slab_free+0x18/0x28
>>   slab_free_freelist_hook+0x204/0x2fc
>>   kfree+0xfc/0x3a4
>>   __iommu_probe_device+0x284/0x394
>>   probe_iommu_group+0x70/0x9c
>>   bus_for_each_dev+0x11c/0x19c
>>   bus_iommu_probe+0xb8/0x7d4
>>   bus_set_iommu+0xcc/0x13c
>>   arm_smmu_bus_init+0x44/0x130 [arm_smmu]
>>   arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
>>   platform_drv_probe+0xe4/0x13c
>>   really_probe+0x2c8/0xb74
>>   driver_probe_device+0x11c/0x228
>>   device_driver_attach+0xf0/0x16c
>>   __driver_attach+0x80/0x320
>>   bus_for_each_dev+0x11c/0x19c
>>   driver_attach+0x38/0x48
>>   bus_add_driver+0x1dc/0x3a4
>>   driver_register+0x18c/0x244
>>   __platform_driver_register+0x88/0x9c
>>   init_module+0x64/0xff4 [arm_smmu]
>>   do_one_initcall+0x17c/0x2f0
>>   do_init_module+0xe8/0x378
>>   load_module+0x3f80/0x4a40
>>   __se_sys_finit_module+0x1a0/0x1e4
>>   __arm64_sys_finit_module+0x44/0x58
>>   el0_svc_common+0x100/0x264
>>   do_el0_svc+0x38/0xa4
>>   el0_svc+0x20/0x30
>>   el0_sync_handler+0x68/0xac
>>   el0_sync+0x160/0x180
>>
>> Fix this by taking device_lock during probe_iommu_group.
>>
>> Signed-off-by: Vijayanand Jitta <quic_vjitta@quicinc.com>
>> ---
>>   drivers/iommu/iommu.c | 12 ++++++++----
>>   1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
>> index dd7863e..261792d 100644
>> --- a/drivers/iommu/iommu.c
>> +++ b/drivers/iommu/iommu.c
>> @@ -1617,7 +1617,7 @@ static int probe_iommu_group(struct device *dev,
>> void *data)
>>   {
>>       struct list_head *group_list = data;
>>       struct iommu_group *group;
>> -    int ret;
>> +    int ret = 0;
>>         /* Device is probed already if in a group */
>>       group = iommu_group_get(dev);
>> @@ -1626,9 +1626,13 @@ static int probe_iommu_group(struct device
>> *dev, void *data)
>>           return 0;
>>       }
>>   -    ret = __iommu_probe_device(dev, group_list);
>> -    if (ret == -ENODEV)
>> -        ret = 0;
>> +    ret = device_trylock(dev);
>> +    if (ret) {
> 
> This doesn't seem right - we can't have a non-deterministic situation
> where __iommu_probe_device() may or may not be called depending on what
> anyone else might be doing with the device at the same time.
> 
> I don't fully understand how __iommu_probe_device() and
> of_iommu_configure() can be running for the same device at the same
> time, but if that's not a race which can be fixed in its own right, then

Thanks for the review comments.

During arm_smmu probe, bus_for_each_dev is called which calls
__iommu_probe_device for each all the devs on that bus.

   __iommu_probe_device+0x90/0x394
   probe_iommu_group+0x70/0x9c
   bus_for_each_dev+0x11c/0x19c
   bus_iommu_probe+0xb8/0x7d4
   bus_set_iommu+0xcc/0x13c
   arm_smmu_bus_init+0x44/0x130 [arm_smmu]
   arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]

and the deferred probe function is calling of_iommu_configure on the
same dev which is currently in __iommu_probe_device path in this case
thus causing the race.

> I think adding a refcount to dev_iommu would be a more sensible way to
> mitigate it.

Right, Adding refcount for dev_iommu should help , I'll post a new patch
with it.

Thanks,
Vijay
> 
> Robin.
> 
>> +        ret = __iommu_probe_device(dev, group_list);
>> +        if (ret == -ENODEV)
>> +            ret = 0;
>> +        device_unlock(dev);
>> +    }
>>         return ret;
>>   }