From patchwork Mon Jul 27 12:29:05 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Russell King X-Patchwork-Id: 6873281 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 469C1C05AC for ; Mon, 27 Jul 2015 12:32:25 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 734D720520 for ; Mon, 27 Jul 2015 12:32:24 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9511B20619 for ; Mon, 27 Jul 2015 12:32:23 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1ZJhXc-0003Ae-AM; Mon, 27 Jul 2015 12:30:00 +0000 Received: from pandora.arm.linux.org.uk ([2001:4d48:ad52:3201:214:fdff:fe10:1be6]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1ZJhXF-0002fB-4R for linux-arm-kernel@lists.infradead.org; Mon, 27 Jul 2015 12:29:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=arm.linux.org.uk; s=pandora-2014; h=Date:Sender:Message-Id:Content-Type:Content-Transfer-Encoding:MIME-Version:Subject:Cc:To:From:References:In-Reply-To; bh=YayVOKxpl0omDFZCCBj87OqjWjppI6ejjk3pDU9Sqgg=; b=l4aCNV9zqh0NL3w+Nq2U2HzlT9oIZ0aK6WADr6b6p53pBlJ0ZFV4/XgjwX4f6AjttyfgviKI+JINK06z38ZomEPswKFjqZM7XXPylTTKmB1fdQtsaeUbGulUxsOel/s3wHAgCJVKNqEQbnWiLkvtThqf+DJxx2sujMTrNmlRBwE=; Received: from e0022681537dd.dyn.arm.linux.org.uk ([2002:4e20:1eda:1:222:68ff:fe15:37dd]:54181 helo=rmk-PC.arm.linux.org.uk) by pandora.arm.linux.org.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1ZJhWm-0006zf-La; Mon, 27 Jul 2015 13:29:08 +0100 Received: from rmk by rmk-PC.arm.linux.org.uk with local (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1ZJhWj-000477-OT; Mon, 27 Jul 2015 13:29:05 +0100 In-Reply-To: <20150727122824.GH7557@n2100.arm.linux.org.uk> References: <20150727122824.GH7557@n2100.arm.linux.org.uk> From: Russell King To: iommu@lists.linux-foundation.org, linux-arm-kernel@lists.infradead.org, linux-tegra@vger.kernel.org Subject: [PATCH 04/18] iommu: tegra-smmu: fix unmap() method MIME-Version: 1.0 Content-Disposition: inline Message-Id: Date: Mon, 27 Jul 2015 13:29:05 +0100 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20150727_052938_064131_F4777984 X-CRM114-Status: GOOD ( 16.44 ) X-Spam-Score: -2.0 (--) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexandre Courbot , Joerg Roedel , Stephen Warren , Thierry Reding , Hiroshi Doyu Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The Tegra SMMU unmap path has several problems: 1. as_pte_put() can perform a write-after-free 2. tegra_smmu_unmap() can perform cache maintanence on a page we have just freed. 3. when a page table is unmapped, there is no CPU cache maintanence of the write clearing the page directory entry, nor is there any maintanence of the IOMMU to ensure that it sees the page table has gone. Fix this by getting rid of as_pte_put(), and instead coding the PTE unmap separately from the PDE unmap, placing the PDE unmap after the PTE unmap has been completed. Signed-off-by: Russell King --- drivers/iommu/tegra-smmu.c | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c index 083354903a1a..a7a7645fb268 100644 --- a/drivers/iommu/tegra-smmu.c +++ b/drivers/iommu/tegra-smmu.c @@ -509,29 +509,35 @@ static u32 *as_get_pte(struct tegra_smmu_as *as, dma_addr_t iova, return &pt[pte]; } -static void as_put_pte(struct tegra_smmu_as *as, dma_addr_t iova) +static void tegra_smmu_pte_put_use(struct tegra_smmu_as *as, unsigned long iova) { + struct tegra_smmu *smmu = as->smmu; u32 pde = (iova >> SMMU_PDE_SHIFT) & 0x3ff; - u32 pte = (iova >> SMMU_PTE_SHIFT) & 0x3ff; u32 *count = page_address(as->count); - u32 *pd = page_address(as->pd), *pt; + u32 *pd = page_address(as->pd); struct page *page; - page = pfn_to_page(pd[pde] & as->smmu->pfn_mask); - pt = page_address(page); + page = pfn_to_page(pd[pde] & smmu->pfn_mask); /* * When no entries in this page table are used anymore, return the * memory page to the system. */ - if (pt[pte] != 0) { - if (--count[pde] == 0) { - ClearPageReserved(page); - __free_page(page); - pd[pde] = 0; - } + if (--count[pde] == 0) { + unsigned int offset = pde * sizeof(*pd); - pt[pte] = 0; + /* Clear the page directory entry first */ + pd[pde] = 0; + + /* Flush the page directory entry */ + smmu->soc->ops->flush_dcache(as->pd, offset, sizeof(*pd)); + smmu_flush_ptc(smmu, as->pd, offset); + smmu_flush_tlb_section(smmu, as->id, iova); + smmu_flush(smmu); + + /* Finally, free the page */ + ClearPageReserved(page); + __free_page(page); } } @@ -569,17 +575,20 @@ static size_t tegra_smmu_unmap(struct iommu_domain *domain, unsigned long iova, u32 *pte; pte = as_get_pte(as, iova, &page); - if (!pte) + if (!pte || !*pte) return 0; + *pte = 0; + offset = offset_in_page(pte); - as_put_pte(as, iova); smmu->soc->ops->flush_dcache(page, offset, 4); smmu_flush_ptc(smmu, page, offset); smmu_flush_tlb_group(smmu, as->id, iova); smmu_flush(smmu); + tegra_smmu_pte_put_use(as, iova); + return size; }