Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp848555rdb;
        Fri, 23 Feb 2024 01:42:18 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXWBYR5pq/JMoe4BcPVHGQPA/Co0u8ddbN98VZzR1AwuyZyqgAsInh+KaUAYAUnkseSuJqwScVZIGwZOSjOWxRwsV+v4593r4f3xDJhgA==
X-Google-Smtp-Source: AGHT+IGyjQwaFj9bsyl9+FmlSzNA4AL0/bM/S2hMQxcin7aPZVJbzbTXwg/wpYRPGvkkKLi5TjRx
X-Received: by 2002:a05:620a:20cb:b0:787:a7c1:b450 with SMTP id f11-20020a05620a20cb00b00787a7c1b450mr2530742qka.4.1708681337892;
        Fri, 23 Feb 2024 01:42:17 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708681337; cv=pass;
        d=google.com; s=arc-20160816;
        b=zZf59UV9V+vLIvr3djUG5rM5ipMHzWQFD+MuwYPXfaOCoH7Iy5/pF4kweBh/WWISPC
         Dn5QotBg0+H5M/uL5RJUG7YKTiKjzlIy4zSuHw3RdmDZrQ0gCC0kgOMzkREIue3Thpwg
         JblEcXyg+WxImWmYz8Zb5yJRbaAGsXOnpW1S4hV/rrjBeXmGICRawQ1TVtVJC+3vxHn9
         4/dYtPaxX4HunFt5ZWf9er9sXGkq8DugcbPAdwwMkIFPfSChNs297DlJNDlEGyu0Rlst
         QgvLRyuiF3k7GOvvqOL1VnE/DPQMrLN5SZv3/VEPth6iaIpntR+Brs/I1A2wdc8Nf+DK
         AvIQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=ZEiMePE578rbncSKCGn9/0AKvjfDfwffZayqVnGyV9o=;
        fh=RnK+fT/3zdPfXE78kCpgfbbOyF/ikRm/uZYKaw1TlBo=;
        b=Dwsf2t4ZDwlDxPwoMJ4/ivrUDt6e0+iz9xSnQiMXVv5aEMJILE9bNIb0vXRhjLeRrs
         7x8sxkoVLavmVylHKH0S5ndmiPCt5ODMsr2ZXUKz1M2OHEvdufLaWaEfJbGZeZ0OyH4p
         ssx/aGCuDuouAzXjFjCmUba18xzxYMKh5C6QqxrnaW97CTjWZpUmWTU6B29x/Vo+wwmN
         eUvRQm4turtJqO5q0W6lzQIaeAP5QxpxdmfZ4eY+05ztqSUQj3YS7Tc784798RXsrjAY
         QTsECtMO6+9mcycERHGJyke/CVURa5T7LXQXULxC+anZbdalhIRFySEtkBv1jnymVr4F
         APEQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=jOl95ikZ;
       arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com);
       spf=pass (google.com: domain of linux-kernel+bounces-78044-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78044-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Return-Path: <linux-kernel+bounces-78044-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id x20-20020a05620a099400b0078753d467c7si12870292qkx.785.2024.02.23.01.42.17
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Feb 2024 01:42:17 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-78044-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=jOl95ikZ;
       arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com);
       spf=pass (google.com: domain of linux-kernel+bounces-78044-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78044-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 98F561C24AC9
	for <linux.lists.archive@gmail.com>; Fri, 23 Feb 2024 09:42:17 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8C0FD5D489;
	Fri, 23 Feb 2024 09:41:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="jOl95ikZ"
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B86F22EF5;
	Fri, 23 Feb 2024 09:41:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708681269; cv=none; b=sZxLp6HhH2HhIyoaVzLGe3rDQ7xbif1jLjoz+WorNuV7BeAU00Vx3/CEWKxL94vAZWFNv8/t65BfjXj+OhSyHOkxoQ5t9NxegZ/5G/ZNRmh5YMswFs8Puwee538b3T9JgpwBwew4dOghTz8LpJl/7OLWbsMU30OMRoz90YEt+t4=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708681269; c=relaxed/simple;
	bh=Y43HSQ9Wo88uXt3uxGimbfx8JjZTF/WiQipb+UBy0eo=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=NXYlCiA1e6Y1Z+WRPbF6isNOuXkfnpU2QCe+7DwBr0kvjSycoMYO4iZ5g1yoDZDlRPiJziMPrYssio20A3t6Nd+x5Du2ElpQgdfXVPxHPUyoUHnH72hf+RQ+zkurhveX9IBZ6wNWI8Y2vG5qqT1+cMERhTyTtlH3uJZn7DEF6f8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=jOl95ikZ; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com
Received: from pps.filterd (m0279873.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 41N8t1bH006239;
	Fri, 23 Feb 2024 09:40:56 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=
	from:to:cc:subject:date:message-id:mime-version:content-type; s=
	qcppdkim1; bh=ZEiMePE578rbncSKCGn9/0AKvjfDfwffZayqVnGyV9o=; b=jO
	l95ikZv5aPMV/HZtNStm2SHFR28H+EFQu++eS0GcUsKVYtuXlKXb3iaGEVb9222i
	IzYM+HYuNH/YdjKhNaeSNWMM5J4nfdXguHecR4Tk+JAsZySE6SiOwgWiDbpuW1i+
	LoR2AtV0LRw9esmW/aNyczFbW78g0Fss3PbytziRkKNzK0g8Gfy8W5HBlN4yj1qq
	tafPqFu2bMVRSd5d6jr0RomEbjvBK6UHcZjUgbdWaNyQIMjK4gRlLbg3LCtJ53+Y
	8o4WKsOxF3m59Jt4RWPIamKNAQ7qhh1tdmTGHxIs9zdddwVXB+o+s8aB5h8J+xRi
	PcO+ACQqq79T/oiXFmBA==
Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3wer8mr2t0-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 23 Feb 2024 09:40:56 +0000 (GMT)
Received: from nalasex01b.na.qualcomm.com (nalasex01b.na.qualcomm.com [10.47.209.197])
	by NALASPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 41N9etiG022307
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Fri, 23 Feb 2024 09:40:55 GMT
Received: from hu-nprakash-blr.qualcomm.com (10.80.80.8) by
 nalasex01b.na.qualcomm.com (10.47.209.197) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.40; Fri, 23 Feb 2024 01:40:52 -0800
From: Nikhil V <quic_nprakash@quicinc.com>
To: <stable@vger.kernel.org>
CC: Charan Teja Kalla <quic_charante@quicinc.com>,
        Joerg Roedel
	<joro@8bytes.org>, Will Deacon <will@kernel.org>,
        Robin Murphy
	<robin.murphy@arm.com>, <linux-kernel@vger.kernel.org>,
        <iommu@lists.linux.dev>, Nikhil V <quic_nprakash@quicinc.com>
Subject: [PATCH] iommu: Avoid races around default domain allocations
Date: Fri, 23 Feb 2024 15:10:23 +0530
Message-ID: <cbf1295589bd90083ad6f75a7fbced01f327c047.1708680521.git.quic_nprakash@quicinc.com>
X-Mailer: git-send-email 2.17.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain
X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To
 nalasex01b.na.qualcomm.com (10.47.209.197)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085
X-Proofpoint-GUID: juVgrq4OEirmf8B-ClsuUbDISik7YfOq
X-Proofpoint-ORIG-GUID: juVgrq4OEirmf8B-ClsuUbDISik7YfOq
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2024-02-22_15,2024-02-22_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0
 adultscore=0 malwarescore=0 bulkscore=0 clxscore=1011 mlxscore=0
 impostorscore=0 mlxlogscore=996 suspectscore=0 priorityscore=1501
 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2402120000 definitions=main-2402230067

From: Charan Teja Kalla <quic_charante@quicinc.com>

This fix is applicable for LTS kernel, 6.1.y. In latest kernels, this race
issue is fixed by the patch series [1] and [2]. The right thing to do here
would have been propagating these changes from latest kernel to the stable
branch, 6.1.y. However, these changes seems too intrusive to be picked for
stable branches. Hence, the fix proposed can be taken as an alternative
instead of backporting the patch series.
[1] https://lore.kernel.org/all/0-v8-81230027b2fa+9d-iommu_all_defdom_jgg@nvidia.com/
[2] https://lore.kernel.org/all/0-v5-1b99ae392328+44574-iommu_err_unwind_jgg@nvidia.com/

Issue:
A race condition is observed when arm_smmu_device_probe and
modprobe of client devices happens in parallel. This results
in the allocation of a new default domain for the iommu group
even though it was previously allocated and the respective iova
domain(iovad) was initialized. However, for this newly allocated
default domain, iovad will not be initialized. As a result, for
devices requesting dma allocations, this uninitialized iovad will
be used, thereby causing NULL pointer dereference issue.

Flow:
- During arm_smmu_device_probe, bus_iommu_probe() will be called
as part of iommu_device_register(). This results in the device probe,
__iommu_probe_device().

- When the modprobe of the client device happens in parallel, it
sets up the DMA configuration for the device using of_dma_configure_id(),
which inturn calls iommu_probe_device(). Later, default domain is
allocated and attached using iommu_alloc_default_domain() and
__iommu_attach_device() respectively. It then ends up initializing a
mapping domain(IOVA domain) and rcaches for the device via
arch_setup_dma_ops()->iommu_setup_dma_ops().

- Now, in the bus_iommu_probe() path, it again tries to allocate
a default domain via probe_alloc_default_domain(). This results in
allocating a new default domain(along with IOVA domain) via
__iommu_domain_alloc(). However, this newly allocated IOVA domain
will not be initialized.

- Now, when the same client device tries dma allocations via
iommu_dma_alloc(), it ends up accessing the rcaches of the newly
allocated IOVA domain, which is not initialized. This results
into NULL pointer dereferencing.

Fix this issue by adding a check in probe_alloc_default_domain()
to see if the iommu_group already has a default domain allocated
and initialized.

Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Co-developed-by: Nikhil V <quic_nprakash@quicinc.com>
Signed-off-by: Nikhil V <quic_nprakash@quicinc.com>
---
 drivers/iommu/iommu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 8b3897239477..83736824f17d 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -1741,6 +1741,9 @@ static void probe_alloc_default_domain(struct bus_type *bus,
 {
 	struct __group_domain_type gtype;
 
+	if (group->default_domain)
+		return;
+
 	memset(&gtype, 0, sizeof(gtype));
 
 	/* Ask for default domain requirements of all devices in the group */
-- 
2.17.1