lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 31 May 2024 10:37:19 -0400
From: NĂ­colas F. R. A. Prado <nfraprado@...labora.com>
To: Andy Shevchenko <andy.shevchenko@...il.com>
Cc: Mark Brown <broonie@...nel.org>, linux-spi@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Neil Armstrong <neil.armstrong@...aro.org>
Subject: Re: [PATCH v1 0/2] spi: Make dummy SG handling robust

On Fri, May 31, 2024 at 12:44:31PM +0300, Andy Shevchenko wrote:
> There's an unreliable code to handle DMA mappings on unidirection transfers.
> This series does two things:
> - it reverts the seemingly unnecessary change
> - it reworks dummy SG list handling
> 
> There is no need to backport that AFAIU, but no harm to apply for v6.10 aka
> the current release cycle. Guys, please test these. 
> 
> Andy Shevchenko (2):
>   spi: Revert "Check if transfer is mapped before calling DMA sync APIs"
>   spi: Do not rely on the SG table and respective API implementations
> 
>  drivers/spi/spi.c | 46 +++++++++++++++++-----------------------------
>  1 file changed, 17 insertions(+), 29 deletions(-)
> 
> -- 
> 2.45.1
> 

Hi Andy,

applying either of these patches causes issues. See the traces for each one
below. This was tested on top of next-20240531, which works fine.

Thanks,
NĂ­colas

patch 1, spi: Revert "Check if transfer is mapped before calling DMA sync APIs":

[    3.114283] Unable to handle kernel NULL pointer dereference at virtual address 000000000000001c
[    3.123323] Mem abort info:
[    3.126200]   ESR = 0x0000000096000004
[    3.130053]   EC = 0x25: DABT (current EL), IL = 32 bits
[    3.135523]   SET = 0, FnV = 0
[    3.138667]   EA = 0, S1PTW = 0
[    3.141902]   FSC = 0x04: level 0 translation fault
[    3.146913] Data abort info:
[    3.149884]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[    3.155521]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[    3.160717]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    3.166173] [000000000000001c] user address but active_mm is swapper
[    3.169640] input: cros_ec as /devices/platform/soc@...c0000.geniqup/a80000.spi/spi_master/spi6/spi6.0/a80000.spi:ec@0:keyboard-controller/input/input0
[    3.172698] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[    3.172703] Modules linked in:
[    3.172708] CPU: 6 PID: 58 Comm: kworker/u32:1 Not tainted 6.10.0-rc1-next-20240531-00003-g60f06088bdb0 #452
[    3.172716] Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT)
[    3.172720] Workqueue: events_unbound deferred_probe_work_func
[    3.172735] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    3.172743] pc : iommu_dma_sync_sg_for_device+0x28/0x100
[    3.172755] lr : __dma_sync_sg_for_device+0x28/0x4c
[    3.172764] sp : ffff80008036adc0
[    3.172767] x29: ffff80008036adc0 x28: ffff646682dd4000 x27: ffff646680feb810
[    3.172777] x26: ffff80008036b008 x25: ffff646682dd4480 x24: ffffbf8f359d40e8
[    3.172784] x23: ffff646680feb810 x22: 0000000000000001 x21: 0000000000000000
[    3.172792] x20: ffffbf8f35d3da18 x19: 0000000000000000 x18: ffffbf8f36a1a390
[    3.172799] x17: 0000000000010108 x16: 0000000000000000 x15: 0000000000000002
[    3.172806] x14: 0000000000000001 x13: 0000000000067dc0 x12: 0000000000000001
[    3.172813] x11: ffff80008036acd0 x10: ffff64668370eff8 x9 : ffff646682dd4469
[    3.172821] x8 : ffff646683629704 x7 : 00000000ffffffff x6 : 0000000000000001
[    3.172828] x5 : ffffbf8f3513bdb0 x4 : ffffbf8f34308ccc x3 : 0000000000000001
[    3.172835] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff646680feb810
[    3.172842] Call trace:
[    3.172845]  iommu_dma_sync_sg_for_device+0x28/0x100
[    3.172851]  __dma_sync_sg_for_device+0x28/0x4c
[    3.172856]  spi_transfer_one_message+0x378/0x6e4
[    3.172866]  __spi_pump_transfer_message+0x1e0/0x504
[    3.172875]  __spi_sync+0x2a0/0x3c4
[    3.172882]  spi_sync+0x30/0x54
[    3.172889]  spi_mem_exec_op+0x26c/0x41c
[    3.172898]  spi_nor_spimem_read_data+0x148/0x158
[    3.172906]  spi_nor_read_data+0x30/0x3c
[    3.172913]  spi_nor_read_sfdp+0x74/0xe4
[    3.172922]  spi_nor_parse_sfdp+0x120/0x11d0
[    3.172930]  spi_nor_sfdp_init_params_deprecated+0x3c/0x8c
[    3.172938]  spi_nor_scan+0x5d8/0xe6c
[    3.172946]  spi_nor_probe+0x94/0x2f0
[    3.172954]  spi_mem_probe+0x6c/0xac
[    3.172962]  spi_probe+0x84/0xe4
[    3.172966]  really_probe+0xbc/0x2a0
[    3.172973]  __driver_probe_device+0x78/0x12c
[    3.172980]  driver_probe_device+0x40/0x160
[    3.172986]  __device_attach_driver+0xb8/0x134
[    3.172992]  bus_for_each_drv+0x84/0xe0
[    3.172997]  __device_attach+0xa8/0x1b0
[    3.173004]  device_initial_probe+0x14/0x20
[    3.173010]  bus_probe_device+0xa8/0xac
[    3.173015]  device_add+0x590/0x750
[    3.173026]  __spi_add_device+0x138/0x208
[    3.173033]  of_register_spi_device+0x394/0x57c
[    3.173041]  spi_register_controller+0x394/0x760
[    3.173048]  qcom_qspi_probe+0x328/0x390
[    3.173058]  platform_probe+0x68/0xd8
[    3.173066]  really_probe+0xbc/0x2a0
[    3.173072]  __driver_probe_device+0x78/0x12c
[    3.173078]  driver_probe_device+0x40/0x160
[    3.173084]  __device_attach_driver+0xb8/0x134
[    3.173090]  bus_for_each_drv+0x84/0xe0
[    3.173095]  __device_attach+0xa8/0x1b0
[    3.173101]  device_initial_probe+0x14/0x20
[    3.173108]  bus_probe_device+0xa8/0xac
[    3.173113]  deferred_probe_work_func+0x88/0xc0
[    3.173119]  process_one_work+0x154/0x298
[    3.173131]  worker_thread+0x2f0/0x3f8
[    3.173140]  kthread+0x118/0x11c
[    3.173148]  ret_from_fork+0x10/0x20
[    3.173158] Code: 2a0203f5 2a0303f6 a90363f7 aa0003f7 (b9401c20)
[    3.173163] ---[ end trace 0000000000000000 ]---

patch 2, spi: Do not rely on the SG table and respective API implementations:

[    3.085653] Unable to handle kernel paging request at virtual address ffff801000000000
[    3.093815] Mem abort info:
[    3.109892]   ESR = 0x0000000096000145
[    3.109896]   EC = 0x25: DABT (current EL), IL = 32 bits
[    3.126955]   SET = 0, FnV = 0
[    3.134900] Unable to handle kernel paging request at virtual address ffff801000000000
[    3.138038]   EA = 0, S1PTW = 0
[    3.138041]   FSC = 0x05: level 1 translation fault
[    3.141183] Mem abort info:
[    3.141185]   ESR = 0x0000000096000145
[    3.149305] Data abort info:
[    3.149308]   ISV = 0, ISS = 0x00000145, ISS2 = 0x00000000
[    3.152530]   EC = 0x25: DABT (current EL), IL = 32 bits
[    3.157552]   CM = 1, WnR = 1, TnD = 0, TagAccess = 0
[    3.160417]   SET = 0, FnV = 0
[    3.164276]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    3.167237]   EA = 0, S1PTW = 0
[    3.167240]   FSC = 0x05: level 1 translation fault
[    3.172880] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000082d2d000
[    3.178323] Data abort info:
[    3.178325]   ISV = 0, ISS = 0x00000145, ISS2 = 0x00000000
[    3.178330]   CM = 1, WnR = 1, TnD = 0, TagAccess = 0
[    3.183519] [ffff801000000000] pgd=0000000000000000
[    3.186653]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[    3.192114] , p4d=1000000100039003
[    3.195339] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000082d2d000
[    3.195344] [ffff801000000000] pgd=0000000000000000
[    3.200367] , pud=0000000000000000
[    3.207249] , p4d=1000000100039003, pud=0000000000000000
[    3.207257] Internal error: Oops: 0000000096000145 [#1] PREEMPT SMP
[    3.207262] Modules linked in:
[    3.207267] CPU: 7 PID: 70 Comm: kworker/u32:4 Not tainted 6.10.0-rc1-next-20240531-00003-ge34bac32ec36 #453
[    3.207275] Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT)
[    3.207278] Workqueue: events_unbound deferred_probe_work_func
[    3.207292] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    3.207299] pc : dcache_clean_poc+0x20/0x38
[    3.207315] lr : arch_sync_dma_for_device+0x24/0x30
[    3.207323] sp : ffff8000807d2db0
[    3.207325] x29: ffff8000807d2db0 x28: ffff0cc6c0feb810 x27: ffff0cc6c0feb810
[    3.207334] x26: ffff0cc6c339b800 x25: ffff0cc6c339bc80 x24: ffffb9dc0508af48
[    3.207341] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000001
[    3.207348] x20: ffffc1ffc0000000 x19: ffff0cc6c32b6d20 x18: ffffb9dc0601a390
[    3.207355] x17: 0000000000010108 x16: 0000000000000000 x15: ffff0cc73b5dd580
[    3.207363] x14: ffff0cc6c09591c0 x13: 0000000000000400 x12: ffffb9dc05c0d000
[    3.207370] x11: 071c71c71c71c71c x10: 0000000000000aa0 x9 : ffff8000807d2c80
[    3.207378] x8 : ffff0cc73b5ec800 x7 : 0000000000000400 x6 : ffff0cc73b5ec828
[    3.207385] x5 : ffffb9dc0473bdb0 x4 : fffffe32d7000000 x3 : 000000000000003f
[    3.207392] x2 : 0000000000000040 x1 : ffff801000000000 x0 : ffff801000000000
[    3.207399] Call trace:
[    3.207402]  dcache_clean_poc+0x20/0x38
[    3.207410]  iommu_dma_sync_sg_for_device+0xd4/0x100
[    3.207420]  __dma_sync_sg_for_device+0x28/0x4c
[    3.207427]  spi_transfer_one_message+0x3a8/0x700
[    3.207436]  __spi_pump_transfer_message+0x1f0/0x504
[    3.207444]  __spi_sync+0x2a0/0x3c4
[    3.207452]  spi_sync+0x30/0x54
[    3.207459]  spi_mem_exec_op+0x26c/0x41c
[    3.207468]  spi_nor_spimem_read_data+0x148/0x158
[    3.207476]  spi_nor_read_data+0x30/0x3c
[    3.207482]  spi_nor_read_sfdp+0x74/0xe4
[    3.207490]  spi_nor_parse_sfdp+0x120/0x11d0
[    3.207499]  spi_nor_sfdp_init_params_deprecated+0x3c/0x8c
[    3.207507]  spi_nor_scan+0x5d8/0xe6c
[    3.207515]  spi_nor_probe+0x94/0x2f0
[    3.207523]  spi_mem_probe+0x6c/0xac
[    3.207531]  spi_probe+0x84/0xe4
[    3.207536]  really_probe+0xbc/0x2a0
[    3.207542]  __driver_probe_device+0x78/0x12c
[    3.207549]  driver_probe_device+0x40/0x160
[    3.207555]  __device_attach_driver+0xb8/0x134
[    3.207562]  bus_for_each_drv+0x84/0xe0
[    3.207567]  __device_attach+0xa8/0x1b0
[    3.207573]  device_initial_probe+0x14/0x20
[    3.207580]  bus_probe_device+0xa8/0xac
[    3.207586]  device_add+0x590/0x750
[    3.207596]  __spi_add_device+0x138/0x208
[    3.207603]  of_register_spi_device+0x394/0x57c
[    3.207611]  spi_register_controller+0x394/0x760
[    3.207619]  qcom_qspi_probe+0x328/0x390
[    3.207628]  platform_probe+0x68/0xd8
[    3.207636]  really_probe+0xbc/0x2a0
[    3.207642]  __driver_probe_device+0x78/0x12c
[    3.207649]  driver_probe_device+0x40/0x160
[    3.207655]  __device_attach_driver+0xb8/0x134
[    3.207660]  bus_for_each_drv+0x84/0xe0
[    3.207666]  __device_attach+0xa8/0x1b0
[    3.207672]  device_initial_probe+0x14/0x20
[    3.207679]  bus_probe_device+0xa8/0xac
[    3.207684]  deferred_probe_work_func+0x88/0xc0
[    3.207690]  process_one_work+0x154/0x298
[    3.207701]  worker_thread+0x2f0/0x3f8
[    3.207711]  kthread+0x118/0x11c
[    3.207719]  ret_from_fork+0x10/0x20
[    3.207729] Code: d2800082 9ac32042 d1000443 8a230000 (d50b7a20)
[    3.207733] ---[ end trace 0000000000000000 ]---
[    3.579215]
[    3.580760] Internal error: Oops: 0000000096000145 [#2] PREEMPT SMP
[    3.580767] Modules linked in:
[    3.580774] CPU: 4 PID: 121 Comm: cros_ec_spi_hig Tainted: G      D            6.10.0-rc1-next-20240531-00003-ge34bac32ec36 #453
[    3.580781] Hardware name: Google Lazor Limozeen without Touchscreen (rev5 - rev8) (DT)
[    3.580785] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    3.580792] pc : dcache_clean_poc+0x20/0x38
[    3.580806] lr : arch_sync_dma_for_device+0x24/0x30
[    3.580813] sp : ffff800080e7b970
[    3.580815] x29: ffff800080e7b970 x28: ffff0cc6c0fd0010 x27: ffff0cc6c0fd0010
[    3.580823] x26: ffff0cc6c25d1000 x25: ffff0cc6c25d1480 x24: ffffb9dc0508af48
[    3.580830] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000001
[    3.580837] x20: ffffc1ffc0000000 x19: ffff0cc6c03a9520 x18: ffffb9dc0601a958
[    3.580845] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000002
[    3.580852] x14: 0000000000000001 x13: 000000000006931f x12: 0000000000000001
[    3.580859] x11: ffff800080e7b890 x10: ffff0cc6c03bdff8 x9 : ffff0cc6c25d1469
[    3.580867] x8 : ffff0cc6c002b704 x7 : 0000000000000000 x6 : 0000000000000001
[    3.580873] x5 : ffffb9dc0473bdb0 x4 : fffffe32d7000000 x3 : 000000000000003f
[    3.580880] x2 : 0000000000000040 x1 : ffff801000000000 x0 : ffff801000000000
[    3.580889] Call trace:
[    3.580891]  dcache_clean_poc+0x20/0x38
[    3.580897]  iommu_dma_sync_sg_for_device+0xd4/0x100
[    3.580906]  __dma_sync_sg_for_device+0x28/0x4c
[    3.580913]  spi_transfer_one_message+0x3a8/0x700
[    3.580921]  __spi_pump_transfer_message+0x1f0/0x504
[    3.580928]  __spi_sync+0x2a0/0x3c4
[    3.580933]  spi_sync_locked+0x10/0x1c
[    3.580939]  receive_n_bytes+0xc0/0x118
[    3.580947]  do_cros_ec_pkt_xfer_spi+0x3c0/0x530
[    3.580951]  cros_ec_xfer_high_pri_work+0x20/0x34
[    3.580956]  kthread_worker_fn+0xcc/0x184
[    3.580964]  kthread+0x118/0x11c
[    3.580970]  ret_from_fork+0x10/0x20
[    3.580980] Code: d2800082 9ac32042 d1000443 8a230000 (d50b7a20)
[    3.580983] ---[ end trace 0000000000000000 ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ