| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Mar 2020 13:50:56 +0000
From: Robin Murphy <robin.murphy@....com>
To: Alexander Dahl <post@...pocky.de>, x86@...nel.org
Cc: Alan Jenkins <alan.christopher.jenkins@...il.com>,
linux-kernel@...r.kernel.org, iommu@...ts.linux-foundation.org,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"H . Peter Anvin" <hpa@...or.com>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH] dma: Fix max PFN arithmetic overflow on 32 bit systems
On 2020-03-02 6:16 pm, Alexander Dahl wrote:
> For ARCH=x86 (32 bit) when you set CONFIG_IOMMU_INTEL since c5a5dc4cbbf4
> ("iommu/vt-d: Don't switch off swiotlb if bounce page is used") there's
> a dependency on CONFIG_SWIOTLB, which was not necessarily active before.
>
> The init code for swiotlb in 'pci_swiotlb_detect_4gb()' compares
> something against MAX_DMA32_PFN to decide if it should be active.
> However that define suffers from an arithmetic overflow since
> 1b7e03ef7570 ("x86, NUMA: Enable emulation on 32bit too") when it was
> first made visible to x86_32.
>
> The effect is at boot time 64 MiB (default size) were allocated for
> bounce buffers now, which is a noticeable amount of memory on small
> systems. We noticed this effect on the fli4l Linux distribution when
> migrating from kernel v4.19 (LTS) to v5.4 (LTS) on boards like pcengines
> ALIX 2D3 with 256 MiB memory for example:
>
> Linux version 5.4.22 (buildroot@...ldroot) (gcc version 7.3.0 (Buildroot 2018.02.8)) #1 SMP Mon Nov 26 23:40:00 CET 2018
> …
> Memory: 183484K/261756K available (4594K kernel code, 393K rwdata, 1660K rodata, 536K init, 456K bss , 78272K reserved, 0K cma-reserved, 0K highmem)
> …
> PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
> software IO TLB: mapped [mem 0x0bb78000-0x0fb78000] (64MB)
>
> The initial analysis and the suggested fix was done by user 'sourcejedi'
> at stackoverflow and explicitly marked as GPLv2 for inclusion in the
> Linux kernel:
>
> https://unix.stackexchange.com/a/520525/50007
>
> Fixes: https://web.nettworks.org/bugs/browse/FFL-2560
> Fixes: https://unix.stackexchange.com/q/520065/50007
> Suggested-by: Alan Jenkins <alan.christopher.jenkins@...il.com>
> Signed-off-by: Alexander Dahl <post@...pocky.de>
> ---
> We tested this in qemu and on real hardware with fli4l on top of v5.4,
> v5.5, and v5.6-rc kernels, but only as far as the reserved memory goes.
> The patch itself is based on v5.6-rc3 (IIRC).
>
> A quick grep over the kernel code showed me this define MAX_DMA32_PFN is
> used in other places as well. I would appreciate feedback on this,
> because I can not oversee all side effects this might have?!
>
> Thanks again to Alan who proposed the fix, and for his permission to
> send it upstream.
>
> Greets
> Alex
> ---
> arch/x86/include/asm/dma.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/dma.h b/arch/x86/include/asm/dma.h
> index 00f7cf45e699..e25514eca8d6 100644
> --- a/arch/x86/include/asm/dma.h
> +++ b/arch/x86/include/asm/dma.h
> @@ -74,7 +74,7 @@
> #define MAX_DMA_PFN ((16UL * 1024 * 1024) >> PAGE_SHIFT)
>
> /* 4GB broken PCI/AGP hardware bus master zone */
> -#define MAX_DMA32_PFN ((4UL * 1024 * 1024 * 1024) >> PAGE_SHIFT)
> +#define MAX_DMA32_PFN (4UL * ((1024 * 1024 * 1024) >> PAGE_SHIFT))
FWIW, wouldn't s/UL/ULL/ in the original expression suffice? Failing
that, rather than awkward parenthesis trickery it might be clearer to
just copy the one from arch/mips/include/asm/dma.h.
Robin.
>
> #ifdef CONFIG_X86_32
> /* The maximum address that we can perform a DMA transfer to on this platform */
>
Powered by blists - more mailing lists