| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <02f259fe-1c6f-834b-c29d-aaf2a0595adb@arm.com>
Date: Wed, 11 Jan 2023 12:11:04 +0000
From: Robin Murphy <robin.murphy@....com>
To: yf.wang@...iatek.com, Joerg Roedel <joro@...tes.org>,
Will Deacon <will@...nel.org>,
Matthias Brugger <matthias.bgg@...il.com>,
"open list:IOMMU DMA-API LAYER" <iommu@...ts.linux.dev>,
open list <linux-kernel@...r.kernel.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-arm-kernel@...ts.infradead.org>,
"moderated list:ARM/Mediatek SoC support"
<linux-mediatek@...ts.infradead.org>
Cc: wsd_upstream@...iatek.com, stable@...r.kernel.org,
Libo Kang <Libo.Kang@...iatek.com>,
Yong Wu <yong.wu@...iatek.com>, Ning Li <Ning.Li@...iatek.com>,
jianjiao zeng <jianjiao.zeng@...iatek.com>
Subject: Re: [PATCH v2] iommu/iova: Fix alloc iova overflows issue
On 2023-01-11 06:38, yf.wang@...iatek.com wrote:
> From: Yunfei Wang <yf.wang@...iatek.com>
>
> In __alloc_and_insert_iova_range, there is an issue that retry_pfn
> overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
> iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
> overflow. As a result, if the retry logic is executed, low_pfn is
> updated to 0, and then new_pfn < low_pfn returns false to make the
> allocation successful.
>
> This issue occurs in the following two situations:
> 1. The first iova size exceeds the domain size. When initializing
> iova domain, iovad->cached_node is assigned as iovad->anchor. For
> example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
> and the iova size allocated for the first time is 11M. The
> following is the log information, new->pfn_lo is smaller than
> iovad->cached_node.
>
> Example log as follows:
> [ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
> start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
> [ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
> success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff
>
> 2. The node with the largest iova->pfn_lo value in the iova domain
> is deleted, iovad->cached_node will be updated to iovad->anchor,
> and then the alloc iova size exceeds the maximum iova size that can
> be allocated in the domain.
>
> After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
> to fix the overflow issue.
>
> Signed-off-by: jianjiao zeng <jianjiao.zeng@...iatek.com>
> Signed-off-by: Yunfei Wang <yf.wang@...iatek.com>
> Cc: <stable@...r.kernel.org> # 5.15.*
Fixes: 4e89dce72521 ("iommu/iova: Retry from last rb tree node if iova search fails")
Acked-by: Robin Murphy <robin.murphy@....com>
> ---
> v2: Update patch
> 1. Cc stable@...r.kernel.org
> This patch needs to be merged stable branch,
> add stable@...r.kernel.org in mail list.
> 2. Refer robin's suggestion to update patch.
>
> ---
> drivers/iommu/iova.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
> index a44ad92fc5eb..fe452ce46642 100644
> --- a/drivers/iommu/iova.c
> +++ b/drivers/iommu/iova.c
> @@ -197,7 +197,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
>
> curr = __get_cached_rbnode(iovad, limit_pfn);
> curr_iova = to_iova(curr);
> - retry_pfn = curr_iova->pfn_hi + 1;
> + retry_pfn = curr_iova->pfn_hi;
>
> retry:
> do {
> @@ -211,7 +211,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad,
> if (high_pfn < size || new_pfn < low_pfn) {
> if (low_pfn == iovad->start_pfn && retry_pfn < limit_pfn) {
> high_pfn = limit_pfn;
> - low_pfn = retry_pfn;
> + low_pfn = retry_pfn + 1;
> curr = iova_find_limit(iovad, limit_pfn);
> curr_iova = to_iova(curr);
> goto retry;
Powered by blists - more mailing lists