| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230109083429.25622-1-yf.wang@mediatek.com>
Date: Mon, 9 Jan 2023 16:34:28 +0800
From: <yf.wang@...iatek.com>
To: Robin Murphy <robin.murphy@....com>,
Joerg Roedel <joro@...tes.org>,
"Will Deacon" <will@...nel.org>,
Matthias Brugger <matthias.bgg@...il.com>,
"open list:IOMMU DMA-API LAYER" <iommu@...ts.linux.dev>,
open list <linux-kernel@...r.kernel.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-arm-kernel@...ts.infradead.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@...ts.infradead.org>
CC: <wsd_upstream@...iatek.com>, Libo Kang <Libo.Kang@...iatek.com>,
Yong Wu <yong.wu@...iatek.com>, Ning Li <Ning.Li@...iatek.com>,
jianjiao zeng <jianjiao.zeng@...iatek.com>,
Yunfei Wang <yf.wang@...iatek.com>
Subject: [PATCH] iommu/iova: Fix alloc iova overflows issue
From: Yunfei Wang <yf.wang@...iatek.com>
In __alloc_and_insert_iova_range, there is an issue that retry_pfn
overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
overflow. As a result, if the retry logic is executed, low_pfn is
updated to 0, and then new_pfn < low_pfn returns false to make the
allocation successful.
This issue occurs in the following two situations:
1. The first iova size exceeds the domain size. When initializing
iova domain, iovad->cached_node is assigned as iovad->anchor. For
example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
and the iova size allocated for the first time is 11M. The
following is the log information, new->pfn_lo is smaller than
iovad->cached_node.
Example log:
[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff
2. The node with the largest iova->pfn_lo value in the iova domain
is deleted, iovad->cached_node will be updated to iovad->anchor,
and then the alloc iova size exceeds the maximum iova size that can
be allocated in the domain.
Adding judgment that retry_pfn must be greater than iovad->start_pfn
can fix this issue.
Signed-off-by: jianjiao zeng <jianjiao.zeng@...iatek.com>
Signed-off-by: Yunfei Wang <yf.wang@...iatek.com>
---
drivers/iommu/iova.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
index a44ad92fc5eb..0073206c2a95 100644
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -209,7 +209,8 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
} while (curr && new_pfn <= curr_iova->pfn_hi && new_pfn >= low_pfn);
if (high_pfn < size || new_pfn < low_pfn) {
- if (low_pfn == iovad->start_pfn && retry_pfn < limit_pfn) {
+ if (low_pfn == iovad->start_pfn &&
+ retry_pfn >= iovad->start_pfn && retry_pfn < limit_pfn) {
high_pfn = limit_pfn;
low_pfn = retry_pfn;
curr = iova_find_limit(iovad, limit_pfn);
--
2.18.0
Powered by blists - more mailing lists