lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1450300844.5150.9.camel@intel.com>
Date:	Wed, 16 Dec 2015 21:20:43 +0000
From:	"Williams, Dan J" <dan.j.williams@...el.com>
To:	"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>
CC:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-nvdimm@...ts.01.org" <linux-nvdimm@...ts.01.org>,
	"Zwisler, Ross" <ross.zwisler@...el.com>
Subject: [GIT PULL] libnvdimm fixes for 4.4-rc6

Hi Linus, please pull from:

  git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm libnvdimm-fixes

...to receive:

1/ 2 bug fixes for misuse of PAGE_MASK in scatterlist and dma-debug.
 These are tagged for -stable.  The scatterlist impact is potentially
corrupted dma addresses on HIGHMEM enabled platforms.

2/ A minor locking fix for the NFIT hot-add implementation that is new
in 4.4-rc.  This would only trigger in the case a hot-add raced driver
removal.

These have received a build success notification from the kbuild robot.

---

The following changes since commit 527e9316f8ec44bd53d90fb9f611fa7ffff52bb9:

  Linux 4.4-rc4 (2015-12-06 15:43:12 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm libnvdimm-fixes

for you to fetch changes up to 0354aec19ce3d355c6213b0434064efc25c9b22c:

  dma-debug: Fix dma_debug_entry offset calculation (2015-12-16 11:24:26 -0800)

----------------------------------------------------------------
Alexey Khoroshilov (1):
      nfit: acpi_nfit_notify(): Do not leave device locked

Dan Williams (1):
      Revert "scatterlist: use sg_phys()"

Daniel Mentz (1):
      dma-debug: Fix dma_debug_entry offset calculation

 arch/arm/mm/dma-mapping.c                    | 2 +-
 arch/microblaze/kernel/dma.c                 | 3 ++-
 drivers/acpi/nfit.c                          | 2 +-
 drivers/iommu/intel-iommu.c                  | 4 ++--
 drivers/iommu/iommu.c                        | 2 +-
 drivers/staging/android/ion/ion_chunk_heap.c | 4 ++--
 lib/dma-debug.c                              | 4 ++--
 7 files changed, 11 insertions(+), 10 deletions(-)

commit 0354aec19ce3d355c6213b0434064efc25c9b22c
Author: Daniel Mentz <danielmentz@...gle.com>
Date:   Tue Dec 15 17:38:48 2015 -0800

    dma-debug: Fix dma_debug_entry offset calculation
    
    dma-debug uses struct dma_debug_entry to keep track of dma coherent
    memory allocation requests. The virtual address is converted into a pfn
    and an offset. Previously, the offset was calculated using an incorrect
    bit mask.  As a result, we saw incorrect error messages from dma-debug
    like the following:
    
    "DMA-API: exceeded 7 overlapping mappings of cacheline 0x03e00000"
    
    Cacheline 0x03e00000 does not exist on our platform.
    
    Cc: <stable@...r.kernel.org>
    Fixes: 0abdd7a81b7e ("dma-debug: introduce debug_dma_assert_idle()")
    Signed-off-by: Daniel Mentz <danielmentz@...gle.com>
    Signed-off-by: Dan Williams <dan.j.williams@...el.com>

commit 3e6110fd5480f5f86ff31381f4dea14218284bff
Author: Dan Williams <dan.j.williams@...el.com>
Date:   Tue Dec 15 12:54:06 2015 -0800

    Revert "scatterlist: use sg_phys()"
    
    commit db0fa0cb0157 "scatterlist: use sg_phys()" did replacements of
    the form:
    
        phys_addr_t phys = page_to_phys(sg_page(s));
        phys_addr_t phys = sg_phys(s) & PAGE_MASK;
    
    However, this breaks platforms where sizeof(phys_addr_t) >
    sizeof(unsigned long).  Revert for 4.3 and 4.4 to make room for a
    combined helper in 4.5.
    
    Cc: <stable@...r.kernel.org>
    Cc: Jens Axboe <axboe@...com>
    Cc: Christoph Hellwig <hch@....de>
    Cc: Russell King <linux@....linux.org.uk>
    Cc: David Woodhouse <dwmw2@...radead.org>
    Cc: Andrew Morton <akpm@...ux-foundation.org>
    Fixes: db0fa0cb0157 ("scatterlist: use sg_phys()")
    Suggested-by: Joerg Roedel <joro@...tes.org>
    Reported-by: Vitaly Lavrov <vel21ripn@...il.com>
    Signed-off-by: Dan Williams <dan.j.williams@...el.com>

commit d91e892825ae6f0ed4f8b07ae5d348eff86ab2ea
Author: Alexey Khoroshilov <khoroshilov@...ras.ru>
Date:   Fri Dec 11 23:24:10 2015 +0300

    nfit: acpi_nfit_notify(): Do not leave device locked
    
    Even if dev->driver is null because we are being removed,
    it is safer to not leave device locked.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
    Reviewed-by: Ross Zwisler <ross.zwisler@...ux.intel.com>
    Reviewed-by: Vishal Verma <vishal.l.verma@...el.com>
    Signed-off-by: Dan Williams <dan.j.williams@...el.com>

diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index e62400e5fb99..534a60ae282e 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -1521,7 +1521,7 @@ static int __map_sg_chunk(struct device *dev, struct scatterlist *sg,
 		return -ENOMEM;
 
 	for (count = 0, s = sg; count < (size >> PAGE_SHIFT); s = sg_next(s)) {
-		phys_addr_t phys = sg_phys(s) & PAGE_MASK;
+		phys_addr_t phys = page_to_phys(sg_page(s));
 		unsigned int len = PAGE_ALIGN(s->offset + s->length);
 
 		if (!is_coherent &&
diff --git a/arch/microblaze/kernel/dma.c b/arch/microblaze/kernel/dma.c
index c89da6312954..bf4dec229437 100644
--- a/arch/microblaze/kernel/dma.c
+++ b/arch/microblaze/kernel/dma.c
@@ -61,7 +61,8 @@ static int dma_direct_map_sg(struct device *dev, struct scatterlist *sgl,
 	/* FIXME this part of code is untested */
 	for_each_sg(sgl, sg, nents, i) {
 		sg->dma_address = sg_phys(sg);
-		__dma_sync(sg_phys(sg), sg->length, direction);
+		__dma_sync(page_to_phys(sg_page(sg)) + sg->offset,
+							sg->length, direction);
 	}
 
 	return nents;
diff --git a/drivers/acpi/nfit.c b/drivers/acpi/nfit.c
index e7ed39bab97d..aa45d4802707 100644
--- a/drivers/acpi/nfit.c
+++ b/drivers/acpi/nfit.c
@@ -1810,7 +1810,7 @@ static void acpi_nfit_notify(struct acpi_device *adev, u32 event)
 	if (!dev->driver) {
 		/* dev->driver may be null if we're being removed */
 		dev_dbg(dev, "%s: no driver found for dev\n", __func__);
-		return;
+		goto out_unlock;
 	}
 
 	if (!acpi_desc) {
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index f1042daef9ad..ac7387686ddc 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -2159,7 +2159,7 @@ static int __domain_mapping(struct dmar_domain *domain, unsigned long iov_pfn,
 			sg_res = aligned_nrpages(sg->offset, sg->length);
 			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
 			sg->dma_length = sg->length;
-			pteval = (sg_phys(sg) & PAGE_MASK) | prot;
+			pteval = page_to_phys(sg_page(sg)) | prot;
 			phys_pfn = pteval >> VTD_PAGE_SHIFT;
 		}
 
@@ -3704,7 +3704,7 @@ static int intel_nontranslate_map_sg(struct device *hddev,
 
 	for_each_sg(sglist, sg, nelems, i) {
 		BUG_ON(!sg_page(sg));
-		sg->dma_address = sg_phys(sg);
+		sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
 		sg->dma_length = sg->length;
 	}
 	return nelems;
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index abae363c7b9b..0e3b0092ec92 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -1430,7 +1430,7 @@ size_t default_iommu_map_sg(struct iommu_domain *domain, unsigned long iova,
 	min_pagesz = 1 << __ffs(domain->ops->pgsize_bitmap);
 
 	for_each_sg(sg, s, nents, i) {
-		phys_addr_t phys = sg_phys(s);
+		phys_addr_t phys = page_to_phys(sg_page(s)) + s->offset;
 
 		/*
 		 * We are mapping on IOMMU page boundaries, so offset within
diff --git a/drivers/staging/android/ion/ion_chunk_heap.c b/drivers/staging/android/ion/ion_chunk_heap.c
index 195c41d7bd53..0813163f962f 100644
--- a/drivers/staging/android/ion/ion_chunk_heap.c
+++ b/drivers/staging/android/ion/ion_chunk_heap.c
@@ -81,7 +81,7 @@ static int ion_chunk_heap_allocate(struct ion_heap *heap,
 err:
 	sg = table->sgl;
 	for (i -= 1; i >= 0; i--) {
-		gen_pool_free(chunk_heap->pool, sg_phys(sg) & PAGE_MASK,
+		gen_pool_free(chunk_heap->pool, page_to_phys(sg_page(sg)),
 			      sg->length);
 		sg = sg_next(sg);
 	}
@@ -109,7 +109,7 @@ static void ion_chunk_heap_free(struct ion_buffer *buffer)
 							DMA_BIDIRECTIONAL);
 
 	for_each_sg(table->sgl, sg, table->nents, i) {
-		gen_pool_free(chunk_heap->pool, sg_phys(sg) & PAGE_MASK,
+		gen_pool_free(chunk_heap->pool, page_to_phys(sg_page(sg)),
 			      sg->length);
 	}
 	chunk_heap->allocated -= allocated_size;
diff --git a/lib/dma-debug.c b/lib/dma-debug.c
index 8855f019ebe8..d34bd24c2c84 100644
--- a/lib/dma-debug.c
+++ b/lib/dma-debug.c
@@ -1464,7 +1464,7 @@ void debug_dma_alloc_coherent(struct device *dev, size_t size,
 	entry->type      = dma_debug_coherent;
 	entry->dev       = dev;
 	entry->pfn	 = page_to_pfn(virt_to_page(virt));
-	entry->offset	 = (size_t) virt & PAGE_MASK;
+	entry->offset	 = (size_t) virt & ~PAGE_MASK;
 	entry->size      = size;
 	entry->dev_addr  = dma_addr;
 	entry->direction = DMA_BIDIRECTIONAL;
@@ -1480,7 +1480,7 @@ void debug_dma_free_coherent(struct device *dev, size_t size,
 		.type           = dma_debug_coherent,
 		.dev            = dev,
 		.pfn		= page_to_pfn(virt_to_page(virt)),
-		.offset		= (size_t) virt & PAGE_MASK,
+		.offset		= (size_t) virt & ~PAGE_MASK,
 		.dev_addr       = addr,
 		.size           = size,
 		.direction      = DMA_BIDIRECTIONAL,--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ