lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <02f259fe-1c6f-834b-c29d-aaf2a0595adb@arm.com>
Date:   Wed, 11 Jan 2023 12:11:04 +0000
From:   Robin Murphy <robin.murphy@....com>
To:     yf.wang@...iatek.com, Joerg Roedel <joro@...tes.org>,
        Will Deacon <will@...nel.org>,
        Matthias Brugger <matthias.bgg@...il.com>,
        "open list:IOMMU DMA-API LAYER" <iommu@...ts.linux.dev>,
        open list <linux-kernel@...r.kernel.org>,
        "moderated list:ARM/Mediatek SoC support" 
        <linux-arm-kernel@...ts.infradead.org>,
        "moderated list:ARM/Mediatek SoC support" 
        <linux-mediatek@...ts.infradead.org>
Cc:     wsd_upstream@...iatek.com, stable@...r.kernel.org,
        Libo Kang <Libo.Kang@...iatek.com>,
        Yong Wu <yong.wu@...iatek.com>, Ning Li <Ning.Li@...iatek.com>,
        jianjiao zeng <jianjiao.zeng@...iatek.com>
Subject: Re: [PATCH v2] iommu/iova: Fix alloc iova overflows issue

On 2023-01-11 06:38, yf.wang@...iatek.com wrote:
> From: Yunfei Wang <yf.wang@...iatek.com>
> 
> In __alloc_and_insert_iova_range, there is an issue that retry_pfn
> overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
> iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
> overflow. As a result, if the retry logic is executed, low_pfn is
> updated to 0, and then new_pfn < low_pfn returns false to make the
> allocation successful.
> 
> This issue occurs in the following two situations:
> 1. The first iova size exceeds the domain size. When initializing
> iova domain, iovad->cached_node is assigned as iovad->anchor. For
> example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
> and the iova size allocated for the first time is 11M. The
> following is the log information, new->pfn_lo is smaller than
> iovad->cached_node.
> 
> Example log as follows:
> [  223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
> start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
> [  223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
> success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff
> 
> 2. The node with the largest iova->pfn_lo value in the iova domain
> is deleted, iovad->cached_node will be updated to iovad->anchor,
> and then the alloc iova size exceeds the maximum iova size that can
> be allocated in the domain.
> 
> After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
> to fix the overflow issue.
> 
> Signed-off-by: jianjiao zeng <jianjiao.zeng@...iatek.com>
> Signed-off-by: Yunfei Wang <yf.wang@...iatek.com>
> Cc: <stable@...r.kernel.org> # 5.15.*

Fixes: 4e89dce72521 ("iommu/iova: Retry from last rb tree node if iova search fails")

Acked-by: Robin Murphy <robin.murphy@....com>

> ---
> v2: Update patch
>      1. Cc stable@...r.kernel.org
>         This patch needs to be merged stable branch,
>         add stable@...r.kernel.org in mail list.
>      2. Refer robin's suggestion to update patch.
> 
> ---
>   drivers/iommu/iova.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
> index a44ad92fc5eb..fe452ce46642 100644
> --- a/drivers/iommu/iova.c
> +++ b/drivers/iommu/iova.c
> @@ -197,7 +197,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
>   
>   	curr = __get_cached_rbnode(iovad, limit_pfn);
>   	curr_iova = to_iova(curr);
> -	retry_pfn = curr_iova->pfn_hi + 1;
> +	retry_pfn = curr_iova->pfn_hi;
>   
>   retry:
>   	do {
> @@ -211,7 +211,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
>   	if (high_pfn < size || new_pfn < low_pfn) {
>   		if (low_pfn == iovad->start_pfn && retry_pfn < limit_pfn) {
>   			high_pfn = limit_pfn;
> -			low_pfn = retry_pfn;
> +			low_pfn = retry_pfn + 1;
>   			curr = iova_find_limit(iovad, limit_pfn);
>   			curr_iova = to_iova(curr);
>   			goto retry;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ