Add patch to fix VFIO IOMMU crash (rhbz 998732)

1 files changed, 39 insertions, 0 deletions

diff --git a/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
new file mode 100644
index 000000000..0b5fa8a7a
--- /dev/null
+++ b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch
@@ -0,0 +1,39 @@
+From: Julian Stecklina <jsteckli@os.info.tu-dresden.de>
+Subject: [PATCH] vfio, iommu: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address limits
+
+The BUG_ON in drivers/iommu/intel-iommu.c:785 can be triggered from userspace via
+VFIO by calling the VFIO_IOMMU_MAP_DMA ioctl on a vfio device with any address
+beyond the addressing capabilities of the IOMMU. The problem is that the ioctl code
+calls iommu_iova_to_phys before it calls iommu_map. iommu_map handles the case that
+it gets addresses beyond the addressing capabilities of its IOMMU.
+intel_iommu_iova_to_phys does not.
+
+This patch fixes iommu_iova_to_phys to return NULL for addresses beyond what the
+IOMMU can handle. This in turn causes the ioctl call to fail in iommu_map and
+(correctly) return EFAULT to the user with a helpful warning message in the kernel
+log.
+
+Signed-off-by: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
+---
+ drivers/iommu/intel-iommu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
+index eec0d3e..61303db 100644
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -782,7 +782,11 @@ static struct dma_pte *pfn_to_dma_pte(struct dmar_domain *domain,
+ 	int offset;
+ 
+ 	BUG_ON(!domain->pgd);
+-	BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width);
++
++	if (addr_width < BITS_PER_LONG && pfn >> addr_width)
++		/* Address beyond IOMMU's addressing capabilities. */
++		return NULL;
++
+ 	parent = domain->pgd;
+ 
+ 	while (level > 0) {
+-- 
+1.8.3.1