Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Date:   Wed, 11 Oct 2023 09:39:10 -0300
From:   Jason Gunthorpe <jgg@nvidia.com>
To:     Tina Zhang <tina.zhang@intel.com>,
        Nicolin Chen <nicolinc@nvidia.com>
Cc:     Kevin Tian <kevin.tian@intel.com>,
        Lu Baolu <baolu.lu@linux.intel.com>, iommu@lists.linux.dev,
        linux-kernel@vger.kernel.org, Vasant Hegde <vasant.hegde@amd.com>
Subject: Re: [v6 PATCH 4/5] iommu: Support mm PASID 1:n with sva domains
Message-ID: <20231011123910.GD55194@ziepe.ca>
References: <20231011065132.102676-1-tina.zhang@intel.com>
 <20231011065132.102676-5-tina.zhang@intel.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231011065132.102676-5-tina.zhang@intel.com>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?wYhbpIT4K+IvgbnITapVm6OKH5aKcYPFkPKGugzjYfvQFAlhg1yCg8AeY+QI?=
 =?us-ascii?Q?vcUJ6ok5kD1vuQD/Qa1pQRLV3gxJ1k2OkeG8zdAB23TZZd4328AlM7FGEnt5?=
 =?us-ascii?Q?H3h2cvkdtDlPTJ+0ctxEZrCR2naYw9ovfXGK5z1VxU+jW0c+liuKHI+3dpMH?=
 =?us-ascii?Q?kh7rh0tl4NfvS9KoRYvQM2AB15jv9lxfoPlPNxvzUonh5DstrLORRprNxcrB?=
 =?us-ascii?Q?LXLp8iDAaFoLOZ5xc4+choDncwS+QWu8ceCgkl0Fnv4PFPFe2LemAwRxB5L6?=
 =?us-ascii?Q?FTU1Kw9By/2+067wIhcTlmW/aSNmHqI7zWHCZJs0swDny7H242xanKaqMLl6?=
 =?us-ascii?Q?KVriClileIGyOrL0VXWP3MbIkVvQpZ+WEO5qZpYB4XJfqvh+UlAxW0n/kOCD?=
 =?us-ascii?Q?raTSihhjIZLQ718s/LcMtnPbZ2cvoPOIBwcY95x/rietZoOKcf5WBUzM9Je5?=
 =?us-ascii?Q?lRmbPhZ56QWxigpQ3C1OwxXyygwIonWPr3MEDSbQUkFO329t4271gqYlI7AZ?=
 =?us-ascii?Q?9fRQAsSEHTPy9875A7hn9UZOPHFGeMiV36oeEL4T6m/S0KPilaof8weps9Q2?=
 =?us-ascii?Q?u7Eng4E/tKhqqJzKcBIFJMyhssVdNERb3bWluhPX4nbknV9o/OJ+mazgIOgZ?=
 =?us-ascii?Q?2qHZkcy5ITPNG8/RuHRX4l10fIDCs4nfZ8cKBQqPxw9T/uty6CumMgAsdsRE?=
 =?us-ascii?Q?J93rnrsqHq+mNc2tnlf3onABG4W6ApcLY2yEnAYVWVTkTA6ydh9kaCSjKkDV?=
 =?us-ascii?Q?ozaaQeLLPcy2+4WOOlfCRUdfTOCiUHdjVieTLouNHs6MfGrJjcDzcevSuW+5?=
 =?us-ascii?Q?WxMws2kTfdSB3jiR+QOdbjLaO5ADc1y5/uOkj34fVf0wlxueSVOqiUwuXa27?=
 =?us-ascii?Q?XvtFVTW07Wrx3n3Ix62LjNBVd0YfFQlSYUfSw6DANFY9lFMdYDgXF3fHVN40?=
 =?us-ascii?Q?mqNGoL5RbUE86soFf1FL+UOn2ULnki9Bp/69xxfMP+QavBur2zJG26tPRaTz?=
 =?us-ascii?Q?Cva/6lF1vilVod8QYgw/vb67wrFqCXcdLV3H1oBFJTwV5T28c4KZQLb5dUfe?=
 =?us-ascii?Q?4Lhx2u6jR8qw0DtwesogwvihCo0NYNIZlex+6eAtLTw20sO1PpmoLjZlJUwo?=
 =?us-ascii?Q?nuZuWIi2qT8DeFETkvvieQ1jDUO/jWecG2Ye1muIqbhZdU+P5uIpWw86QsMQ?=
 =?us-ascii?Q?+gNRpijEtmhbPEu24s5Wj8mjYDr4O/MCzGFxbSE2lXRryrKOToBKUOc4FKuA?=
 =?us-ascii?Q?5rKiFMG6xiPj+klFbQypow6c+I8LeOrhJbJ5jH3FeqIWlxD1ID+LZonYRS2R?=
 =?us-ascii?Q?JWk0gsECFwEx7I/f5CraXDforadAufGqaC5f3LqMUu7WqOOZJVb1QyAvqH/N?=
 =?us-ascii?Q?MtKpZDzHqqxpkcJcMXfNKQ0t8+x5vg9hA4Xv5dwb3d1lnCn8p/EbjCG/1oC5?=
 =?us-ascii?Q?iHX19GAmA0O/ud7JWSau9MSl/9M+nt2OtBlw8USBn3TPgsX0lwrsvWxRIVLi?=
 =?us-ascii?Q?rHKqApQanEiKxvUteIwNgi8sQZUfVoJk+7pvXG9pqi2RA8eC6RazQt1BJ/eh?=
 =?us-ascii?Q?sRu2fUOkG8jomZJmSqAaoenOTBaprVMVL1MXReT2?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe727fbe-0636-4485-4768-08dbca5711d3
X-MS-Exchange-CrossTenant-AuthSource: LV2PR12MB5869.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Oct 2023 12:39:11.4752
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: BDQ5TkywiuvZ7ogDBUxLFr/8Aum/KjuXM5bYHxeUBIwHp8C1QFv5V7rqMctvGJmm
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6136
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,
        RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE,
        URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 11 Oct 2023 05:39:31 -0700 (PDT)

On Wed, Oct 11, 2023 at 02:51:31PM +0800, Tina Zhang wrote:

> diff --git a/kernel/fork.c b/kernel/fork.c
> index 3b6d20dfb9a8..985403a7a747 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1277,7 +1277,6 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
>  	mm_init_cpumask(mm);
>  	mm_init_aio(mm);
>  	mm_init_owner(mm, p);
> -	mm_pasid_init(mm);
>  	RCU_INIT_POINTER(mm->exe_file, NULL);
>  	mmu_notifier_subscriptions_init(mm);
>  	init_tlb_flush_pending(mm);

Nicolin debugged his crash report last night and sent me the details.

This hunk is the cause of the bug that Nicolin reported.

The dup_mm() flow does:

static struct mm_struct *dup_mm(struct task_struct *tsk,
				struct mm_struct *oldmm)
{
	struct mm_struct *mm;
	int err;

	mm = allocate_mm();
	if (!mm)
		goto fail_nomem;

	memcpy(mm, oldmm, sizeof(*mm));

	if (!mm_init(mm, tsk, mm->user_ns))
		goto fail_nomem;

It is essential that mm_pasid_init() zero the new pointer otherwise,
due to the memcpy, after a fork two mm structs will point to the same
thing and one will UAF/doube free.

Keep mm_pasid_init() and add zeroing the new pointer to it.

Jason