lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <50A2A04E.1000407@gentoo.org>
Date:	Tue, 13 Nov 2012 13:32:30 -0600
From:	Matthew Thode <prometheanfire@...too.org>
To:	Alex Williamson <alex.williamson@...hat.com>
CC:	Don Dutile <ddutile@...hat.com>,
	Doug Goldstein <cardoe@...too.org>,
	linux-kernel@...r.kernel.org, bhelgaas@...gle.com,
	linux-pci@...r.kernel.org, mthode@...ode.org,
	iommu@...ts.linux-foundation.org
Subject: Re: [BUG 3.7-rc5] NULL pointer deref when using a pcie-pci bridged
 pci device and intel-iommu

On 11/13/2012 01:10 PM, Alex Williamson wrote:
> On Tue, 2012-11-13 at 14:05 -0500, Don Dutile wrote:
>> On 11/13/2012 10:38 AM, Alex Williamson wrote:
>>> On Mon, 2012-11-12 at 15:05 -0600, Matthew Thode wrote:
>>>> On 11/12/2012 01:57 PM, Don Dutile wrote:
>>>>> On 11/12/2012 04:26 AM, Doug Goldstein wrote:
>>>>>> On Sun, Nov 11, 2012 at 5:19 PM, Matthew Thode
>>>>>> <prometheanfire@...too.org>   wrote:
>>>>>>> System boots with vt-d disabled in bios. Otherwise I get the errors in
>>>>>>> the attached log.  I can do whatever testing you need as this system is
>>>>>>> not in production yet.  gonna paste the important part here.  Let me
>>>>>>> know if you want anything else.
>>>>>>>
>>>>>>> Please CC me directly as I am not subscribed to the LKML.
>>>>>>>
>>>>>>>
>>>>>>> Trying to unpack rootfs image as initramfs...
>>>>>>> Freeing initrd memory: 5124k freed
>>>>>>> IOMMU 0 0xfbffe000: using Queued invalidation
>>>>>>> IOMMU: Setting RMRR:
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.0 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.1 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.2 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.7 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.0 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.1 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.2 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.7 [0xbf7ec000 -
>>>>>>> 0xbf7fffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.0 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.1 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.2 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1d.7 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.0 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.1 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.2 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Setting identity map for device 0000:00:1a.7 [0xec000 - 0xeffff]
>>>>>>> IOMMU: Prepare 0-16MiB unity mapping for LPC
>>>>>>> IOMMU: Setting identity map for device 0000:00:1f.0 [0x0 - 0xffffff]
>>>>>>> PCI-DMA: Intel(R) Virtualization Technology for Directed I/O
>>>>>>> BUG: unable to handle kernel NULL pointer dereference at
>>>>>>> 000000000000003c
>>>>>>> IP: [<ffffffff813bd796>] pci_get_dma_source+0xf/0x41
>>>>>>> PGD 0
>>>>>>> Oops: 0000 [#1] SMP
>>>>>>> Modules linked in:
>>>>>>> CPU 7
>>>>>>> Pid: 1, comm: swapper/0 Not tainted 3.7.0-rc5 #1 Penguin Computing
>>>>>>> Relion 1751/X8DTU
>>>>>>> RIP: 0010:[<ffffffff813bd796>]  [<ffffffff813bd796>]
>>>>>>> pci_get_dma_source+0xf/0x41
>>>>>>> RSP: 0000:ffff8806264d1d88  EFLAGS: 00010282
>>>>>>> RAX: ffffffff813bd3a8 RBX: ffff8806261d1000 RCX: 00000000e8221180
>>>>>>> RDX: ffffffff818624f0 RSI: ffff88062635b0c0 RDI: 0000000000000000
>>>>>>> RBP: ffff8806264d1d88 R08: ffff8806263d6000 R09: 00000000ffffffff
>>>>>>> R10: ffff8806264d1ca8 R11: 0000000000000005 R12: 0000000000000000
>>>>>>> R13: ffff8806261d1098 R14: 0000000000000000 R15: 0000000000000000
>>>>>>> FS:  0000000000000000(0000) GS:ffff88063f2e0000(0000)
>>>>>>> knlGS:0000000000000000
>>>>>>> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>>>>>>> CR2: 000000000000003c CR3: 0000000001c0b000 CR4: 00000000000007e0
>>>>>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>>>>>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>>>>>>> Process swapper/0 (pid: 1, threadinfo ffff8806264d0000, task
>>>>>>> ffff8806264cf910)
>>>>>>> Stack:
>>>>>>>    ffff8806264d1dc8 ffffffff815d02c9 0000000000000000 ffff880600000000
>>>>>>>    ffff8806264d1dd8 ffffffff81c64b00 ffff8806261d1098 ffff8806264d1df8
>>>>>>>    ffff8806264d1de8 ffffffff815cd5a4 ffffffff81c64b00 ffffffff815cd56a
>>>>>>> Call Trace:
>>>>>>>    [<ffffffff815d02c9>] intel_iommu_add_device+0x95/0x167
>>>>>>>    [<ffffffff815cd5a4>] add_iommu_group+0x3a/0x41
>>>>>>>    [<ffffffff815cd56a>] ? bus_set_iommu+0x44/0x44
>>>>>>>    [<ffffffff8145eca1>] bus_for_each_dev+0x54/0x81
>>>>>>>    [<ffffffff815cd563>] bus_set_iommu+0x3d/0x44
>>>>>>>    [<ffffffff81cd3fa3>] intel_iommu_init+0xae5/0xb5e
>>>>>>>    [<ffffffff81ca0277>] ? free_initrd+0x9e/0x9e
>>>>>>>    [<ffffffff81ca4248>] ? memblock_find_dma_reserve+0x13f/0x13f
>>>>>>>    [<ffffffff81ca425e>] pci_iommu_init+0x16/0x41
>>>>>>>    [<ffffffff81cc4140>] ? pci_proc_init+0x6b/0x6b
>>>>>>>    [<ffffffff81000231>] do_one_initcall+0x7a/0x129
>>>>>>>    [<ffffffff816dac14>] kernel_init+0x139/0x2a2
>>>>>>>    [<ffffffff81c9d4c7>] ? loglevel+0x31/0x31
>>>>>>>    [<ffffffff816daadb>] ? rest_init+0x6f/0x6f
>>>>>>>    [<ffffffff816f66ac>] ret_from_fork+0x7c/0xb0
>>>>>>>    [<ffffffff816daadb>] ? rest_init+0x6f/0x6f
>>>>>>> Code: ff c1 75 04 ff d0 eb 12 48 83 c2 10 48 8b 42 08 48 85 c0 75 d3 b8
>>>>>>> e7 ff ff ff c9 c3 55 48 c7 c2 f0 24 86 81 48 89 e5 eb 24 8b 0a<66>   3b
>>>>>>> 4f 3c 74 05 66 ff c1 75 13 66 8b 4a 02 66 3b 4f 3e 74 05
>>>>>>> RIP  [<ffffffff813bd796>] pci_get_dma_source+0xf/0x41
>>>>>>>    RSP<ffff8806264d1d88>
>>>>>>> CR2: 000000000000003c
>>>>>>> ---[ end trace 5c5a2ceca067e0ec ]---
>>>>>>> Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
>>>>>>>
>>>>>>> ------------[ cut here ]------------
>>>>>>> WARNING: at arch/x86/kernel/smp.c:123
>>>>>>> native_smp_send_reschedule+0x25/0x51()
>>>>>>> Hardware name: Relion 1751
>>>>>>> Modules linked in:
>>>>>>> Pid: 1, comm: swapper/0 Tainted: G      D      3.7.0-rc5 #1
>>>>>>> Call Trace:
>>>>>>>    <IRQ>    [<ffffffff810968ee>] warn_slowpath_common+0x80/0x98
>>>>>>>    [<ffffffff8109691b>] warn_slowpath_null+0x15/0x17
>>>>>>>    [<ffffffff8104e1a3>] native_smp_send_reschedule+0x25/0x51
>>>>>>>    [<ffffffff810bc81b>] trigger_load_balance+0x1e8/0x214
>>>>>>>    [<ffffffff810b731f>] scheduler_tick+0xd8/0xe1
>>>>>>>    [<ffffffff810a132f>] update_process_times+0x62/0x73
>>>>>>>    [<ffffffff810cb78b>] tick_sched_timer+0x7c/0x9b
>>>>>>>    [<ffffffff810b0f83>] __run_hrtimer.clone.24+0x4e/0xc1
>>>>>>>    [<ffffffff810b15b0>] hrtimer_interrupt+0xc7/0x1ac
>>>>>>>    [<ffffffff8104ef01>] smp_apic_timer_interrupt+0x81/0x94
>>>>>>>    [<ffffffff816f71ca>] apic_timer_interrupt+0x6a/0x70
>>>>>>>    <EOI>    [<ffffffff81097ffc>] ? console_unlock+0x2c2/0x2ed
>>>>>>>    [<ffffffff816f32fc>] ? panic+0x189/0x1c5
>>>>>>>    [<ffffffff816f3261>] ? panic+0xee/0x1c5
>>>>>>>    [<ffffffff8109ab6b>] do_exit+0x357/0x7b2
>>>>>>>    [<ffffffff810371b8>] oops_end+0xb2/0xba
>>>>>>>    [<ffffffff8105841d>] no_context+0x266/0x275
>>>>>>>    [<ffffffff810585e7>] __bad_area_nosemaphore+0x1bb/0x1db
>>>>>>>    [<ffffffff8118de46>] ? sysfs_addrm_finish+0x2f/0xa6
>>>>>>>    [<ffffffff81058615>] bad_area_nosemaphore+0xe/0x10
>>>>>>>    [<ffffffff81058bdb>] __do_page_fault+0x360/0x39f
>>>>>>>    [<ffffffff81394afa>] ? ida_get_new_above+0xf9/0x19e
>>>>>>>    [<ffffffff8112a077>] ? slab_node+0x59/0xa2
>>>>>>>    [<ffffffff816f3ffd>] ? mutex_unlock+0x9/0xb
>>>>>>>    [<ffffffff816da653>] ? klist_put+0x4c/0x70
>>>>>>>    [<ffffffff816da581>] ? klist_next+0x30/0xb6
>>>>>>>    [<ffffffff813b8cf9>] ? pci_do_find_bus+0x49/0x49
>>>>>>>    [<ffffffff81058c42>] do_page_fault+0x9/0xb
>>>>>>>    [<ffffffff816f6232>] page_fault+0x22/0x30
>>>>>>>    [<ffffffff813bd3a8>] ? nv_msi_ht_cap_quirk_all+0x10/0x10
>>>>>>>    [<ffffffff813bd796>] ? pci_get_dma_source+0xf/0x41
>>>>>>>    [<ffffffff815d02c9>] intel_iommu_add_device+0x95/0x167
>>>>>>>    [<ffffffff815cd5a4>] add_iommu_group+0x3a/0x41
>>>>>>>    [<ffffffff815cd56a>] ? bus_set_iommu+0x44/0x44
>>>>>>>    [<ffffffff8145eca1>] bus_for_each_dev+0x54/0x81
>>>>>>>    [<ffffffff815cd563>] bus_set_iommu+0x3d/0x44
>>>>>>>    [<ffffffff81cd3fa3>] intel_iommu_init+0xae5/0xb5e
>>>>>>>    [<ffffffff81ca0277>] ? free_initrd+0x9e/0x9e
>>>>>>>    [<ffffffff81ca4248>] ? memblock_find_dma_reserve+0x13f/0x13f
>>>>>>>    [<ffffffff81ca425e>] pci_iommu_init+0x16/0x41
>>>>>>>    [<ffffffff81cc4140>] ? pci_proc_init+0x6b/0x6b
>>>>>>>    [<ffffffff81000231>] do_one_initcall+0x7a/0x129
>>>>>>>    [<ffffffff816dac14>] kernel_init+0x139/0x2a2
>>>>>>>    [<ffffffff81c9d4c7>] ? loglevel+0x31/0x31
>>>>>>>    [<ffffffff816daadb>] ? rest_init+0x6f/0x6f
>>>>>>>    [<ffffffff816f66ac>] ret_from_fork+0x7c/0xb0
>>>>>>>    [<ffffffff816daadb>] ? rest_init+0x6f/0x6f
>>>>>>> ---[ end trace 5c5a2ceca067e0ed ]---
>>>>>>>
>>>>>>> --
>>>>>>> -- Matthew Thode (prometheanfire)
>>>>>>
>>>>>> The root cause of Matt's issue is that intel_iommu_add_device() calls
>>>>>> pci_get_domain_bus_and_slot() which is returning NULL. Which is not an
>>>>>> expected value. The reason NULL is being returned is that Matt has a
>>>>>> card with a TI XIO2000A/XIO2200A PCIe-PCI bridge (VID: 104C, DID:
>>>>>> 8231) on it. This device already has a quirk setup for disabling fast
>>>>>> back to back transfers on its secondary bus. If we cause it to use the
>>>>>> primary bus, that appears to resolve the issue. I'm not sure exactly
>>>>>> how to proceed from here due to relative lack of knowledge of PCI. Do
>>>>>> all PCIe-PCI bridges with secondary buses need their DMA parent to be
>>>>>> the primary bus or is that just something that should be done for the
>>>>>> TI XIO2000A due to the existing quirk?
>>>>>>
>>>>> DMA from a (legacy) PCI device does not have a SRC-ID in the transaction,
>>>>> so the source of the device generating the DMA is unknown.  When bridging
>>>>> to a PCIe device, the Parent PPB's dev-id is inserted on the PCIe as the
>>>>> source
>>>>> of a transaction -- in this case, DMA read/write transaction.
>>>>> This (sw) mapping should have happened by default, unless a recent
>>>>> change from VFIO
>>>>> broke this mapping.... or the TI bridge didn't report itself correctly
>>>>> as a PCIe-PCI bridge.
>>>>> Alex ?
>>>>>
>>>>>
>>>>>> The failing call with arguments was pci_get_domain_bus_and_slot(0, 5,
>>>>>> 0), while pci_get_domain_bus_and_slot(0, 4, 0) resulted in a system
>>>>>> that didn't panic and a device that worked.
>>>>>>
>>>>>> $ lspci -tvn
>>>>>> -+-[0000:ff]-+-00.0  8086:2c40
>>>>>>    |           +-00.1  8086:2c01
>>>>>>    |           +-02.0  8086:2c10
>>>>>>    |           +-02.1  8086:2c11
>>>>>>    |           +-02.4  8086:2c14
>>>>>>    |           +-02.5  8086:2c15
>>>>>>    |           +-03.0  8086:2c18
>>>>>>    |           +-03.1  8086:2c19
>>>>>>    |           +-03.2  8086:2c1a
>>>>>>    |           +-03.4  8086:2c1c
>>>>>>    |           +-04.0  8086:2c20
>>>>>>    |           +-04.1  8086:2c21
>>>>>>    |           +-04.2  8086:2c22
>>>>>>    |           +-04.3  8086:2c23
>>>>>>    |           +-05.0  8086:2c28
>>>>>>    |           +-05.1  8086:2c29
>>>>>>    |           +-05.2  8086:2c2a
>>>>>>    |           +-05.3  8086:2c2b
>>>>>>    |           +-06.0  8086:2c30
>>>>>>    |           +-06.1  8086:2c31
>>>>>>    |           +-06.2  8086:2c32
>>>>>>    |           \-06.3  8086:2c33
>>>>>>    \-[0000:00]-+-00.0  8086:3406
>>>>>>                +-01.0-[01]--+-00.0  8086:10c9
>>>>>>                |            \-00.1  8086:10c9
>>>>>>                +-03.0-[02]--
>>>>>>                +-05.0-[03]--
>>>>>>                +-07.0-[04-05]----00.0-[05]----08.0  d161:8006
>>>>>>                +-09.0-[06]----00.0  8086:10b9
>>>>>>                +-13.0  8086:342d
>>>>>>                +-14.0  8086:342e
>>>>>>                +-14.1  8086:3422
>>>>>>                +-14.2  8086:3423
>>>>>>                +-14.3  8086:3438
>>>>>>                +-16.0  8086:3430
>>>>>>                +-16.1  8086:3431
>>>>>>                +-16.2  8086:3432
>>>>>>                +-16.3  8086:3433
>>>>>>                +-16.4  8086:3429
>>>>>>                +-16.5  8086:342a
>>>>>>                +-16.6  8086:342b
>>>>>>                +-16.7  8086:342c
>>>>>>                +-1a.0  8086:3a37
>>>>>>                +-1a.1  8086:3a38
>>>>>>                +-1a.2  8086:3a39
>>>>>>                +-1a.7  8086:3a3c
>>>>>>                +-1d.0  8086:3a34
>>>>>>                +-1d.1  8086:3a35
>>>>>>                +-1d.2  8086:3a36
>>>>>>                +-1d.7  8086:3a3a
>>>>>>                +-1e.0-[07]----01.0  102b:0532
>>>>>>                +-1f.0  8086:3a16
>>>>>>                +-1f.2  8086:3a22
>>>>>>                \-1f.3  8086:3a30
>>>>>>
>>>>>> If someone can craft the correct patch that'd be great or answer the
>>>>>> above question and I'll gladly craft it.
>>>>>>
>>>>>> Thanks.
>>>>>
>>>> because I didn't see it.  Here was the patch that got it working for me
>>>> (ignore the printks), applies against 3.6.6 and 3.7-rc5.
>>>
>>> I think you're on the right track, but the solution is too specific.
>>> Here's a version that will fall back to the bridge device for the base
>>> of the group.  There may be opportunities to get rid of the pci_get_
>>> call altogether, but this seems pretty safe.  Can you please test it?
>>> Thanks,
>>>
>>> Alex
>>>
>> going through the logic, I don't see why the pci_get_domain_bus_and_slot()
>> is even called.  once there is a !NULL return for bridge, then
>> it should just do the pci_dev_get(bridge).
> 
> I agree, if we were earlier in the 3.7 cycle I think I'd drop it
> altogether, but I'm nervous that we're forgetting something and opted to
> only fix the clearly broken path.  I can queue a patch for 3.8 that does
> the remaining cleanup.  Thanks,
> 
> Alex
> 

Sounds good, I'll keep patching til 3.8 then, thanks guys :D

Matthew Thode

>>> commit ca15170f05b140ab8c611db5cb7cb9c218ddc930
>>> Author: Alex Williamson<alex.williamson@...hat.com>
>>> Date:   Tue Nov 13 08:34:08 2012 -0700
>>>
>>>      intel-iommu: Fix lookup in add device
>>>
>>>      We can't assume this device exists, fall back to the bridge itself.
>>>
>>>      Signed-off-by: Alex Williamson<alex.williamson@...hat.com>
>>>
>>> diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
>>> index d4a4cd4..0badfa4 100644
>>> --- a/drivers/iommu/intel-iommu.c
>>> +++ b/drivers/iommu/intel-iommu.c
>>> @@ -4108,7 +4108,7 @@ static void swap_pci_ref(struct pci_dev **from, struct pci_dev *to)
>>>   static int intel_iommu_add_device(struct device *dev)
>>>   {
>>>   	struct pci_dev *pdev = to_pci_dev(dev);
>>> -	struct pci_dev *bridge, *dma_pdev;
>>> +	struct pci_dev *bridge, *dma_pdev = NULL;
>>>   	struct iommu_group *group;
>>>   	int ret;
>>>
>>> @@ -4122,7 +4122,7 @@ static int intel_iommu_add_device(struct device *dev)
>>>   			dma_pdev = pci_get_domain_bus_and_slot(
>>>   						pci_domain_nr(pdev->bus),
>>>   						bridge->subordinate->number, 0);
>>> -		else
>>> +		if (!dma_pdev)
>>>   			dma_pdev = pci_dev_get(bridge);
>>>   	} else
>>>   		dma_pdev = pci_dev_get(pdev);
>>>
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-pci" in
>>> the body of a message to majordomo@...r.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> 
> 
> 


-- 
-- Matthew Thode (prometheanfire)


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ