Boris Ostrovsky reported a memory leak with device passthrough when SME is active.
The VFIO driver uses iommu_iova_to_phys() to get the physical address for an iova. This physical address is later passed into vfio_unmap_unpin() to unpin the memory. The vfio_unmap_unpin() uses pfn_valid() before unpinning the memory. The pfn_valid() check was failing because encryption mask was part of the physical address returned. This resulted in the memory not being unpinned and therefore leaked after the guest terminates.
The memory encryption mask must be cleared from the physical address in iommu_iova_to_phys().
Fixes: 2543a786aa25 ("iommu/amd: Allow the AMD IOMMU to work with memory encryption") Reported-by: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: Tom Lendacky thomas.lendacky@amd.com Cc: Joerg Roedel joro@8bytes.org Cc: iommu@lists.linux-foundation.org Cc: Borislav Petkov bp@suse.de Cc: Paolo Bonzini pbonzini@redhat.com Cc: Radim Krčmář rkrcmar@redhat.com Cc: kvm@vger.kernel.org Cc: Boris Ostrovsky boris.ostrovsky@oracle.com Cc: stable@vger.kernel.org # 4.14+ Signed-off-by: Brijesh Singh brijesh.singh@amd.com --- drivers/iommu/amd_iommu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c index 73e47d9..bee0dfb 100644 --- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -3069,7 +3069,7 @@ static phys_addr_t amd_iommu_iova_to_phys(struct iommu_domain *dom, return 0;
offset_mask = pte_pgsize - 1; - __pte = *pte & PM_ADDR_MASK; + __pte = __sme_clr(*pte & PM_ADDR_MASK);
return (__pte & ~offset_mask) | (iova & offset_mask); }
On Thu, Oct 04, 2018 at 09:40:23PM +0000, Singh, Brijesh wrote:
Boris Ostrovsky reported a memory leak with device passthrough when SME is active.
The VFIO driver uses iommu_iova_to_phys() to get the physical address for an iova. This physical address is later passed into vfio_unmap_unpin() to unpin the memory. The vfio_unmap_unpin() uses pfn_valid() before unpinning the memory. The pfn_valid() check was failing because encryption mask was part of the physical address returned. This resulted in the memory not being unpinned and therefore leaked after the guest terminates.
The memory encryption mask must be cleared from the physical address in iommu_iova_to_phys().
Merged and on its way upstream, thanks Brijesh.
linux-stable-mirror@lists.linaro.org