lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YAsQcLqvi0Lh8PVv@archbook>
Date:   Fri, 22 Jan 2021 09:50:40 -0800
From:   Moritz Fischer <mdf@...nel.org>
To:     Robin Murphy <robin.murphy@....com>
Cc:     Moritz Fischer <mdf@...nel.org>, lorenzo.pieralisi@....com,
        guohanjun@...wei.com, rjw@...ysocki.net,
        linux-kernel@...r.kernel.org, linux-acpi@...r.kernel.org,
        moritzf@...gle.com, sudeep.holla@....com, will@...nel.org,
        linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v2] ACPI/IORT: Do not blindly trust DMA masks from
 firmware

Hi Robin,

On Fri, Jan 22, 2021 at 02:42:05PM +0000, Robin Murphy wrote:
> On 2021-01-22 01:24, Moritz Fischer wrote:
> > Address issue observed on real world system with suboptimal IORT table
> > where DMA masks of PCI devices would get set to 0 as result.
> > 
> > iort_dma_setup() would query the root complex'/named component IORT
> > entry for a DMA mask, and use that over the one the device has been
> > configured with earlier.
> > 
> > Ideally we want to use the minimum mask of what the IORT contains for
> > the root complex and what the device was configured with.
> > 
> > Fixes: 5ac65e8c8941 ("ACPI/IORT: Support address size limit for root complexes")
> > Signed-off-by: Moritz Fischer <mdf@...nel.org>
> > ---
> > 
> > Changes from v1:
> > - Changed warning to FW_BUG
> > - Warn for both Named Component or Root Complex
> > - Replaced min_not_zero() with min()
> > 
> > ---
> >   drivers/acpi/arm64/iort.c | 14 ++++++++++++--
> >   1 file changed, 12 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
> > index d4eac6d7e9fb..2494138a6905 100644
> > --- a/drivers/acpi/arm64/iort.c
> > +++ b/drivers/acpi/arm64/iort.c
> > @@ -1107,6 +1107,11 @@ static int nc_dma_get_range(struct device *dev, u64 *size)
> >   	ncomp = (struct acpi_iort_named_component *)node->node_data;
> > +	if (!ncomp->memory_address_limit) {
> > +		pr_warn(FW_BUG "Named component missing memory address limit\n");
> > +		return -EINVAL;
> > +	}
> > +
> >   	*size = ncomp->memory_address_limit >= 64 ? U64_MAX :
> >   			1ULL<<ncomp->memory_address_limit;
> > @@ -1126,6 +1131,11 @@ static int rc_dma_get_range(struct device *dev, u64 *size)
> >   	rc = (struct acpi_iort_root_complex *)node->node_data;
> > +	if (!rc->memory_address_limit) {
> > +		pr_warn(FW_BUG "Root complex missing memory address limit\n");
> > +		return -EINVAL;
> > +	}
> > +
> >   	*size = rc->memory_address_limit >= 64 ? U64_MAX :
> >   			1ULL<<rc->memory_address_limit;
> > @@ -1173,8 +1183,8 @@ void iort_dma_setup(struct device *dev, u64 *dma_addr, u64 *dma_size)
> >   		end = dmaaddr + size - 1;
> >   		mask = DMA_BIT_MASK(ilog2(end) + 1);
> >   		dev->bus_dma_limit = end;
> > -		dev->coherent_dma_mask = mask;
> > -		*dev->dma_mask = mask;
> > +		dev->coherent_dma_mask = min(dev->coherent_dma_mask, mask);
> > +		*dev->dma_mask = min(*dev->dma_mask, mask);
> 
> Oops, I got so distracted by the "not_zero" aspect in v1 that I ended up
> thinking purely about smaller-than-default masks, but of course this *does*
> matter the other way round. And it is what we've always done on the DT side,
> so at least it makes us consistent.
> 
> FWIW I've already started writing up a patch to kill off this bit entirely,
> but either way we still can't meaningfully interpret a supposed DMA limit of
> 0 bits in a table describing DMA-capable devices, so for this patch as a
> fix,
> 
> Reviewed-by: Robin Murphy <robin.murphy@....com>

I think there's another issue the comparisons for revision should be
against < 2 not < 1.

>From what I could find DEN0049D (IORT) spec introduced the fields
(curiously the C doc seems to be missing).

DEN0049B specifies revision as '0', DEN0049C (missing?), DEN0049D
specifies new fields for memory_size_limit and both Named Component and
Root Complex nodes set revision to 2.

so I think it should be:

if (!node || node->revision < 2)
	return -ENODEV;

Only if we go past this and there is no address limit is it really a
firmware bug.
> 
> Thanks,
> Robin.
> 
> >   	}
> >   	*dma_addr = dmaaddr;
> > 

- Moritz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ