iommu/vt-d: Fix race setting IRQ CPU affinity while freeing IRQ

A user process setting the CPU affinity of an IRQ for a KVM
direct-assigned device via /proc/irq/<IRQ#>/smp_affinity can race with
the IRQ being released by QEMU, resulting in a NULL iommu pointer
dereference in get_irte(), causing this crash:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
 IP: [<ffffffff8190a652>] intel_ioapic_set_affinity+0x82/0x1b0
 PGD 99172e067 PUD 1026979067 PMD 0
 Oops: 0000 [#1] SMP
 Modules linked in:
 CPU: 1 PID: 3354 Comm: affin Not tainted 3.16.0-rc7-00007-g31dab71 #1
 Hardware name: Supermicro SYS-F617R2-RT+/X9DRFR, BIOS 3.0a 01/29/2014
 task: ffff881025b0e720 ti: ffff88099173c000 task.ti: ffff88099173c000
 RIP: 0010:[<ffffffff8190a652>]  [<ffffffff8190a652>] intel_ioapic_set_affinity+0x82/0x1b0
 RSP: 0018:ffff88099173fdb0  EFLAGS: 00010046
 RAX: 0000000000000082 RBX: ffff880a36294600 RCX: 0000000000000082
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8266af00
 RBP: ffff88099173fdf8 R08: 0000000000000000 R09: ffff88103ec00490
 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88099173fe90
 R13: 000000000000005f R14: ffff880faa38fe80 R15: ffff880faa38fe80
 FS:  00007f7161f05740(0000) GS:ffff88107fc40000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000090 CR3: 000000099140d000 CR4: 00000000001427e0
 Stack:
  ffffffff81c44740 ffff88099173fdc8 ffffffff00000000 00000000c991fd3b
  ffff880a36294600 ffff88099173fe90 ffff88099173fe90 0000000000000000
  0000000000000286 ffff88099173fe08 ffffffff8190aac5 ffff88099173fe28
 Call Trace:
  [<ffffffff8190aac5>] set_remapped_irq_affinity+0x25/0x40
  [<ffffffff811322dc>] irq_do_set_affinity+0x1c/0x50
  [<ffffffff81132458>] irq_set_affinity_locked+0x98/0xd0
  [<ffffffff811324d6>] __irq_set_affinity+0x46/0x70
  [<ffffffff811362dc>] write_irq_affinity.isra.6+0xdc/0x100
  [<ffffffff8113631c>] irq_affinity_list_proc_write+0x1c/0x20
  [<ffffffff8129f30d>] proc_reg_write+0x3d/0x80
  [<ffffffff812384a7>] vfs_write+0xb7/0x1f0
  [<ffffffff81243619>] ? putname+0x29/0x40
  [<ffffffff812390c5>] SyS_write+0x55/0xd0
  [<ffffffff81adc729>] system_call_fastpath+0x16/0x1b
 Code: ff 48 85 d2 74 68 4c 8b 7a 30 4d 85 ff 74 5f 48 c7 c7 00 af 66 82 e8 9e 1b 1d 00 49 8b 57 20 41 0f b7 77 28 48 c7 c7 00 af 66 82 <48> 8b 8a 90 00 00 00 41 0f b7 57 2a 01 f2 48 89 c6 48 63 d2 48
 RIP  [<ffffffff8190a652>] intel_ioapic_set_affinity+0x82/0x1b0
  RSP <ffff88099173fdb0>
 CR2: 0000000000000090

Signed-off-by: Greg Edwards <gedwards@ddn.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>

diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
index 757e0b0d19ffb088b958e07636189817478cdcd3..0df41f6264f50f3e70ef9adebeae32a3658658eb 100644 (file)
--- a/drivers/iommu/intel_irq_remapping.c
+++ b/drivers/iommu/intel_irq_remapping.c
@@ -70,6 +70,11 @@ static int get_irte(int irq, struct irte *entry)
 
        raw_spin_lock_irqsave(&irq_2_ir_lock, flags);
 
+       if (unlikely(!irq_iommu->iommu)) {
+               raw_spin_unlock_irqrestore(&irq_2_ir_lock, flags);
+               return -1;
+       }
+
        index = irq_iommu->irte_index + irq_iommu->sub_handle;
        *entry = *(irq_iommu->iommu->ir_table->base + index);