lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0453c762-1f8b-079f-5fdf-548e90909318@oracle.com>
Date:   Tue, 16 Oct 2018 15:21:16 -0700
From:   Joe Jin <joe.jin@...cle.com>
To:     Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>,
        John Sobecki <john.sobecki@...cle.com>,
        "DONGLI.ZHANG" <dongli.zhang@...cle.com>, konrad@...nel.org,
        Christoph Helwig <hch@....de>
Cc:     "xen-devel@...ts.xenproject.org" <xen-devel@...ts.xenproject.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: [PATCH V2] xen-swiotlb: use actually allocated size on check physical
 continuous

xen_swiotlb_{alloc,free}_coherent() allocate/free memory by order,
but passed required size to range_straddles_page_boundary(),
when first pages are physical continuous,
range_straddles_page_boundary() returned true, then did not
exchanged memory with Xen, later on free memory, it tried to
exchanged non-contiguous memory with Xen, then kernel panic.

Signed-off-by: Joe Jin <joe.jin@...cle.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@...cle.com>
Cc: Christoph Helwig <hch@....de>
Cc: Dongli Zhang <dongli.zhang@...cle.com>
Cc: John Sobecki <john.sobecki@...cle.com>

---
 drivers/xen/swiotlb-xen.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index a6f9ba85dc4b..aa081f806728 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -303,6 +303,9 @@ xen_swiotlb_alloc_coherent(struct device *hwdev, size_t size,
 	*/
 	flags &= ~(__GFP_DMA | __GFP_HIGHMEM);
 
+	/* Convert the size to actually allocated. */
+	size = 1UL << (order + XEN_PAGE_SHIFT);
+
 	/* On ARM this function returns an ioremap'ped virtual address for
 	 * which virt_to_phys doesn't return the corresponding physical
 	 * address. In fact on ARM virt_to_phys only works for kernel direct
@@ -351,6 +354,9 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
 	 * physical address */
 	phys = xen_bus_to_phys(dev_addr);
 
+	/* Convert the size to actually allocated. */
+	size = 1UL << (order + XEN_PAGE_SHIFT);
+
 	if (((dev_addr + size - 1 <= dma_mask)) ||
 	    range_straddles_page_boundary(phys, size))
 		xen_destroy_contiguous_region(phys, order);
-- 
2.15.2 (Apple Git-101.1)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ