lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 23 Nov 2023 11:13:13 +0000
From:   Robin Murphy <robin.murphy@....com>
To:     Ashish Mhetre <amhetre@...dia.com>, joro@...tes.org,
        will@...nel.org, robh@...nel.org, treding@...dia.com
Cc:     iommu@...ts.linux.dev, linux-kernel@...r.kernel.org,
        linux-tegra@...r.kernel.org
Subject: Re: [PATCH] iommu: Don't reserve IOVA when address and size are zero

On 2023-11-23 6:12 am, Ashish Mhetre wrote:
> When the bootloader/firmware doesn't setup the framebuffers, their
> address and size are zero in "iommu-addresses" property. If we intend to
> use display driver in kernel without framebuffer then it's causing
> the display IOMMU mappings to fail as IOVA is reserved with size and
> address as zero.

Can you clarify the problem there? Looking at the code in 
iova_reserve_iommu_regions() I'm guessing it's that "region->start + 
region->length - 1" underflows so reserve_iova() actually ends up 
reserving the entire valid IOVA space?

> An ideal solution would be firmware removing the "iommu-addresses"
> property and corresponding "memory-region" if display is not present.
> But the kernel should be able to handle this by checking for size and
> address of IOVA and skipping the IOVA reservation if both are 0.

Surely it doesn't make sense to reserve a 0-length region at *any* base 
address? The symptom above wouldn't be quite the same if the base was 
nonzero, but corrupting the rbtree with an entry where pfn_hi < pfn_lo 
would definitely not be good either.

> Fixes: a5bf3cfce8cb ("iommu: Implement of_iommu_get_resv_regions()")
> Signed-off-by: Ashish Mhetre <amhetre@...dia.com>
> ---
>   drivers/iommu/of_iommu.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/iommu/of_iommu.c b/drivers/iommu/of_iommu.c
> index 157b286e36bf..150ef65d357a 100644
> --- a/drivers/iommu/of_iommu.c
> +++ b/drivers/iommu/of_iommu.c
> @@ -255,6 +255,10 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
>   				size_t length;
>   
>   				maps = of_translate_dma_region(np, maps, &iova, &length);
> +				if (iova == 0 && length == 0) {
> +					dev_dbg(dev, "Skipping IOVA reservation as address and size are zero\n");

FWIW I'd be inclined to log a visible warning that firmware is giving us 
nonsense.

Thanks,
Robin.

> +					continue;
> +				}
>   				type = iommu_resv_region_get_type(dev, &phys, iova, length);
>   
>   				region = iommu_alloc_resv_region(iova, length, prot, type,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ