Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1364519pxb; Fri, 21 Jan 2022 16:36:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJxjwLJaIUVmPezSvITPZWyyUfpEWltkrs/kePxlE/PV2x3U24R9B792HXfeP6hQ79KbwTpF X-Received: by 2002:a17:90b:1e08:: with SMTP id pg8mr3025715pjb.216.1642811775736; Fri, 21 Jan 2022 16:36:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642811775; cv=none; d=google.com; s=arc-20160816; b=OoLL2lzDognoLYe491eZKtrsqxJbh9F7KES8xlamUzht4Ex4LRhxzcCcN1j6R9j4/T zqxjr+ZtrrsBW5Ts7dx+B37Ke6O+DbZn8YLS12+tmS0Bphj/8H1VNbZC4TA3KarYI3dr oQMjgchbpXq/3Oik5eHIaEg8STV+UOXofHgJaijxlKwAPyw4KtFjthydMnXI8wHZ4WLb MXRSugN/l/cJi+BNJHQBLXKylHNE5d53mnQpWF/PoNg7+Miqquzlep3NOK1CTQGm+K/L HMaFeBrXH0X+TCly6LUdyyrR172VeheHBEBrP/WxiTTYbe1N3wZ8OfS4SRKkoL2Zzox0 qw1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dmarc-filter:sender:dkim-signature; bh=mvUJa5NM27TZtQgqWoHzntZGWi82X2gSyFxcZw+cSP0=; b=V26FF1s3i6+DOHNBAsBheFChSdAccJB6tfb2ajjcEe+HCZiK01lZozlZJW28Y5Yyxq el2xmVhSYI3x6GIuDWk+Yx0u4QQR2iYSCmIbcMrjmYzHhHLlehSSyiW9/iH57ci4lRk4 sEd0jSEOQbK8E1RQPSQ9t6L18rScZCIflwqW0Kl8Gth8nOQn2VPoYaGZ1QthoehrwYJo WVvHOkOffUMmGRhAgwjRqtUzoN4INsW5rg5NvAiVd0Rt2WAui8mcWUQbvB3tj0QbpD7F lgDYEI0NT6tbaWJ9E41aPKVRw46+4vZMzqz+4HimodQRiL94OOsunDs+xeqGRQs+xq4g E1ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=gVYJXUAf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bg12si6985932plb.505.2022.01.21.16.36.04; Fri, 21 Jan 2022 16:36:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=gVYJXUAf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378631AbiAUHQR (ORCPT + 99 others); Fri, 21 Jan 2022 02:16:17 -0500 Received: from m43-7.mailgun.net ([69.72.43.7]:16924 "EHLO m43-7.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348864AbiAUHQQ (ORCPT ); Fri, 21 Jan 2022 02:16:16 -0500 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1642749376; h=Content-Transfer-Encoding: Content-Type: In-Reply-To: MIME-Version: Date: Message-ID: From: References: Cc: To: Subject: Sender; bh=mvUJa5NM27TZtQgqWoHzntZGWi82X2gSyFxcZw+cSP0=; b=gVYJXUAf/bmNxWYKfX4CeIZlxHnYAIOM3krFtKnX+/oO9DOtCwo67pGhvMzza4osPsc30vpg q0z+wRvoBKqbrcXKgR+LxXsqSE0zZnl2NPSK+SDF2dA0bdyC/HGsjr5VPB+Su5Odr9UTjH+L +JOEHma1iNWaXoHoMfhPw0zFcoM= X-Mailgun-Sending-Ip: 69.72.43.7 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n07.prod.us-east-1.postgun.com with SMTP id 61ea5dc0305e503c09af4ed3 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Fri, 21 Jan 2022 07:16:15 GMT Sender: vjitta=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 10B02C4361A; Fri, 21 Jan 2022 07:16:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00, NICE_REPLY_A,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0 Received: from [192.168.0.101] (unknown [103.164.200.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: vjitta) by smtp.codeaurora.org (Postfix) with ESMTPSA id C8407C4338F; Fri, 21 Jan 2022 07:16:10 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org C8407C4338F Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=codeaurora.org Subject: Re: [PATCH v3] iommu: Fix potential use-after-free during probe To: Vijayanand Jitta , Robin Murphy , joro@8bytes.org, will@kernel.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org Cc: kernel-team@android.com References: <1641993184-1232-1-git-send-email-quic_vjitta@quicinc.com> <9913d026-fddd-c188-0873-0f7a66fb2c3c@arm.com> <5f923b2d-645c-a7df-e16b-e8526015db32@quicinc.com> From: Vijayanand Jitta Message-ID: <348bccb5-ae73-d8ea-8450-8c0de92ec497@codeaurora.org> Date: Fri, 21 Jan 2022 12:46:02 +0530 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <5f923b2d-645c-a7df-e16b-e8526015db32@quicinc.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/18/2022 9:27 PM, Vijayanand Jitta wrote: > > > On 1/18/2022 7:19 PM, Robin Murphy wrote: >> On 2022-01-12 13:13, Vijayanand Jitta wrote: >>> Kasan has reported the following use after free on dev->iommu. >>> when a device probe fails and it is in process of freeing dev->iommu >>> in dev_iommu_free function, a deferred_probe_work_func runs in parallel >>> and tries to access dev->iommu->fwspec in of_iommu_configure path thus >>> causing use after free. >>> >>> BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 >>> Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 >>> >>> Workqueue: events_unbound deferred_probe_work_func >>> Call trace: >>>   dump_backtrace+0x0/0x33c >>>   show_stack+0x18/0x24 >>>   dump_stack_lvl+0x16c/0x1e0 >>>   print_address_description+0x84/0x39c >>>   __kasan_report+0x184/0x308 >>>   kasan_report+0x50/0x78 >>>   __asan_load8+0xc0/0xc4 >>>   of_iommu_configure+0xb4/0x4a4 >>>   of_dma_configure_id+0x2fc/0x4d4 >>>   platform_dma_configure+0x40/0x5c >>>   really_probe+0x1b4/0xb74 >>>   driver_probe_device+0x11c/0x228 >>>   __device_attach_driver+0x14c/0x304 >>>   bus_for_each_drv+0x124/0x1b0 >>>   __device_attach+0x25c/0x334 >>>   device_initial_probe+0x24/0x34 >>>   bus_probe_device+0x78/0x134 >>>   deferred_probe_work_func+0x130/0x1a8 >>>   process_one_work+0x4c8/0x970 >>>   worker_thread+0x5c8/0xaec >>>   kthread+0x1f8/0x220 >>>   ret_from_fork+0x10/0x18 >>> >>> Allocated by task 1: >>>   ____kasan_kmalloc+0xd4/0x114 >>>   __kasan_kmalloc+0x10/0x1c >>>   kmem_cache_alloc_trace+0xe4/0x3d4 >>>   __iommu_probe_device+0x90/0x394 >>>   probe_iommu_group+0x70/0x9c >>>   bus_for_each_dev+0x11c/0x19c >>>   bus_iommu_probe+0xb8/0x7d4 >>>   bus_set_iommu+0xcc/0x13c >>>   arm_smmu_bus_init+0x44/0x130 [arm_smmu] >>>   arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] >>>   platform_drv_probe+0xe4/0x13c >>>   really_probe+0x2c8/0xb74 >>>   driver_probe_device+0x11c/0x228 >>>   device_driver_attach+0xf0/0x16c >>>   __driver_attach+0x80/0x320 >>>   bus_for_each_dev+0x11c/0x19c >>>   driver_attach+0x38/0x48 >>>   bus_add_driver+0x1dc/0x3a4 >>>   driver_register+0x18c/0x244 >>>   __platform_driver_register+0x88/0x9c >>>   init_module+0x64/0xff4 [arm_smmu] >>>   do_one_initcall+0x17c/0x2f0 >>>   do_init_module+0xe8/0x378 >>>   load_module+0x3f80/0x4a40 >>>   __se_sys_finit_module+0x1a0/0x1e4 >>>   __arm64_sys_finit_module+0x44/0x58 >>>   el0_svc_common+0x100/0x264 >>>   do_el0_svc+0x38/0xa4 >>>   el0_svc+0x20/0x30 >>>   el0_sync_handler+0x68/0xac >>>   el0_sync+0x160/0x180 >>> >>> Freed by task 1: >>>   kasan_set_track+0x4c/0x84 >>>   kasan_set_free_info+0x28/0x4c >>>   ____kasan_slab_free+0x120/0x15c >>>   __kasan_slab_free+0x18/0x28 >>>   slab_free_freelist_hook+0x204/0x2fc >>>   kfree+0xfc/0x3a4 >>>   __iommu_probe_device+0x284/0x394 >>>   probe_iommu_group+0x70/0x9c >>>   bus_for_each_dev+0x11c/0x19c >>>   bus_iommu_probe+0xb8/0x7d4 >>>   bus_set_iommu+0xcc/0x13c >>>   arm_smmu_bus_init+0x44/0x130 [arm_smmu] >>>   arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] >>>   platform_drv_probe+0xe4/0x13c >>>   really_probe+0x2c8/0xb74 >>>   driver_probe_device+0x11c/0x228 >>>   device_driver_attach+0xf0/0x16c >>>   __driver_attach+0x80/0x320 >>>   bus_for_each_dev+0x11c/0x19c >>>   driver_attach+0x38/0x48 >>>   bus_add_driver+0x1dc/0x3a4 >>>   driver_register+0x18c/0x244 >>>   __platform_driver_register+0x88/0x9c >>>   init_module+0x64/0xff4 [arm_smmu] >>>   do_one_initcall+0x17c/0x2f0 >>>   do_init_module+0xe8/0x378 >>>   load_module+0x3f80/0x4a40 >>>   __se_sys_finit_module+0x1a0/0x1e4 >>>   __arm64_sys_finit_module+0x44/0x58 >>>   el0_svc_common+0x100/0x264 >>>   do_el0_svc+0x38/0xa4 >>>   el0_svc+0x20/0x30 >>>   el0_sync_handler+0x68/0xac >>>   el0_sync+0x160/0x180 >>> >>> Fix this by taking device_lock during probe_iommu_group. >>> >>> Signed-off-by: Vijayanand Jitta >>> --- >>>   drivers/iommu/iommu.c | 12 ++++++++---- >>>   1 file changed, 8 insertions(+), 4 deletions(-) >>> >>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c >>> index dd7863e..261792d 100644 >>> --- a/drivers/iommu/iommu.c >>> +++ b/drivers/iommu/iommu.c >>> @@ -1617,7 +1617,7 @@ static int probe_iommu_group(struct device *dev, >>> void *data) >>>   { >>>       struct list_head *group_list = data; >>>       struct iommu_group *group; >>> -    int ret; >>> +    int ret = 0; >>>         /* Device is probed already if in a group */ >>>       group = iommu_group_get(dev); >>> @@ -1626,9 +1626,13 @@ static int probe_iommu_group(struct device >>> *dev, void *data) >>>           return 0; >>>       } >>>   -    ret = __iommu_probe_device(dev, group_list); >>> -    if (ret == -ENODEV) >>> -        ret = 0; >>> +    ret = device_trylock(dev); >>> +    if (ret) { >> >> This doesn't seem right - we can't have a non-deterministic situation >> where __iommu_probe_device() may or may not be called depending on what >> anyone else might be doing with the device at the same time. >> >> I don't fully understand how __iommu_probe_device() and >> of_iommu_configure() can be running for the same device at the same >> time, but if that's not a race which can be fixed in its own right, then > > Thanks for the review comments. > > During arm_smmu probe, bus_for_each_dev is called which calls > __iommu_probe_device for each all the devs on that bus. > > __iommu_probe_device+0x90/0x394 > probe_iommu_group+0x70/0x9c > bus_for_each_dev+0x11c/0x19c > bus_iommu_probe+0xb8/0x7d4 > bus_set_iommu+0xcc/0x13c > arm_smmu_bus_init+0x44/0x130 [arm_smmu] > arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] > > and the deferred probe function is calling of_iommu_configure on the > same dev which is currently in __iommu_probe_device path in this case > thus causing the race. > >> I think adding a refcount to dev_iommu would be a more sensible way to >> mitigate it. > > Right, Adding refcount for dev_iommu should help , I'll post a new patch > with it. > I was seeing if refcount would help here, there is some issues if we add a refcount within struct dev_iommu Here the race between below two functions process 1: static void dev_iommu_free(struct device *dev) { iommu_fwspec_free(dev); kfree(dev->iommu); dev->iommu = NULL; } Process 2: static inline struct iommu_fwspec *dev_iommu_fwspec_get(struct device *dev) { if (dev->iommu) return dev->iommu->fwspec; else return NULL; } when process1 is in kfree(dev->iommu) , process2 passes the check of if(dev->iommu) and later get the use after free error when it accesses dev->iomm->fwspec. Even if we add a refcount within dev_iommu and then call dev_iommu_free when refcount reaches 0, we later can't check this refcount in dev_iommu_fwspec_get since its already freed with kfree. Another issue is iommu_fwspec_free which is called within dev_iommu_free calls dev_iommu_fwspec_get , so this again causes issue with refcount. So, I was thinking of adding something like a bool var iommu_dev_set with in struct device itself and we initialize during dev_iommu_get and set it to zero in dev_iommu_free, rest of the places we just check it. Any thoughts on this ? Thanks, Vijay > Thanks, > Vijay >> >> Robin. >> >>> +        ret = __iommu_probe_device(dev, group_list); >>> +        if (ret == -ENODEV) >>> +            ret = 0; >>> +        device_unlock(dev); >>> +    } >>>         return ret; >>>   } -- QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation