lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAF6AEGv1Ufa4XjEsM4s=ZxoYdq+ijszk2woLu8oYLBLYkmE2KQ@mail.gmail.com>
Date: Wed, 26 Jun 2024 12:42:31 -0700
From: Rob Clark <robdclark@...il.com>
To: Pranjal Shrivastava <praan@...gle.com>
Cc: iommu@...ts.linux.dev, linux-arm-msm@...r.kernel.org, 
	Stephen Boyd <swboyd@...omium.org>, Robin Murphy <robin.murphy@....com>, 
	Rob Clark <robdclark@...omium.org>, Will Deacon <will@...nel.org>, Joerg Roedel <joro@...tes.org>, 
	Jason Gunthorpe <jgg@...pe.ca>, Jerry Snitselaar <jsnitsel@...hat.com>, Rob Herring <robh@...nel.org>, 
	Dmitry Baryshkov <dmitry.baryshkov@...aro.org>, Georgi Djakov <quic_c_gdjako@...cinc.com>, 
	"moderated list:ARM SMMU DRIVERS" <linux-arm-kernel@...ts.infradead.org>, 
	open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] iommu/arm-smmu: Pretty-print context fault related regs

On Wed, Jun 26, 2024 at 12:08 PM Pranjal Shrivastava <praan@...gle.com> wrote:
>
> Hi Rob,
>
>
> On Wed, Jun 26, 2024 at 10:08 PM Rob Clark <robdclark@...il.com> wrote:
> >
> > From: Rob Clark <robdclark@...omium.org>
> >
> > Parse out the bitfields for easier-to-read fault messages.
> >
> > Signed-off-by: Rob Clark <robdclark@...omium.org>
> > ---
> > I kept with the dev_err, which matches qcom_smmu_context_fault.  It is
> > only adding two extra lines, and it is ratelimited.
> >
> > I also converted qcom_smmu_context_fault() to use the helpers to do the
> > parsing, rather than more or less duplicating.
> >
> >  .../iommu/arm/arm-smmu/arm-smmu-qcom-debug.c  | 21 +++---
> >  drivers/iommu/arm/arm-smmu/arm-smmu.c         | 70 ++++++++++++++++++-
> >  drivers/iommu/arm/arm-smmu/arm-smmu.h         | 58 +++++++++------
> >  3 files changed, 110 insertions(+), 39 deletions(-)
> >
> > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom-debug.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom-debug.c
> > index 552199cbd9e2..ee7eab273e1a 100644
> > --- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom-debug.c
> > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom-debug.c
> > @@ -429,22 +429,17 @@ irqreturn_t qcom_smmu_context_fault(int irq, void *dev)
> >                 phys_addr_t phys_atos = qcom_smmu_verify_fault(smmu_domain, iova, fsr);
> >
> >                 if (__ratelimit(&_rs)) {
> > +                       char buf[80];
>
> Super Nit: I'm not a fan of hardcoding the buffer size but I'm also not sure
> if this makes a strong enough case for a macro definition. Any thoughts, anyone?
>
> > +
> >                         dev_err(smmu->dev,
> >                                 "Unhandled context fault: fsr=0x%x, iova=0x%08lx, fsynr=0x%x, cbfrsynra=0x%x, cb=%d\n",
> >                                 fsr, iova, fsynr, cbfrsynra, idx);
> > -                       dev_err(smmu->dev,
> > -                               "FSR    = %08x [%s%s%s%s%s%s%s%s%s], SID=0x%x\n",
> > -                               fsr,
> > -                               (fsr & 0x02) ? "TF " : "",
> > -                               (fsr & 0x04) ? "AFF " : "",
> > -                               (fsr & 0x08) ? "PF " : "",
> > -                               (fsr & 0x10) ? "EF " : "",
> > -                               (fsr & 0x20) ? "TLBMCF " : "",
> > -                               (fsr & 0x40) ? "TLBLKF " : "",
> > -                               (fsr & 0x80) ? "MHF " : "",
> > -                               (fsr & 0x40000000) ? "SS " : "",
> > -                               (fsr & 0x80000000) ? "MULTI " : "",
> > -                               cbfrsynra);
> > +
> > +                       arm_smmu_parse_fsr(buf, fsr);
> > +                       dev_err(smmu->dev, "FSR: %s\n", buf);
> > +
> > +                       arm_smmu_parse_fsynr0(buf, fsynr);
> > +                       dev_err(smmu->dev, "FSYNR0: %s\n", buf);
> >
> >                         dev_err(smmu->dev,
> >                                 "soft iova-to-phys=%pa\n", &phys_soft);
> > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c
> > index 87c81f75cf84..7f5ca75d5ebe 100644
> > --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c
> > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c
> > @@ -405,12 +405,67 @@ static const struct iommu_flush_ops arm_smmu_s2_tlb_ops_v1 = {
> >         .tlb_add_page   = arm_smmu_tlb_add_page_s2_v1,
> >  };
> >
> > +void arm_smmu_parse_fsr(char buf[80], u32 fsr)
> > +{
> > +       static const struct {
> > +               u32 mask;
> > +               const char *name;
> > +       } fsr_bits[] = {
> > +               { ARM_SMMU_CB_FSR_MULTI,  "MULTI"  },
> > +               { ARM_SMMU_CB_FSR_SS,     "SS"     },
> > +               { ARM_SMMU_CB_FSR_UUT,    "UUT"    },
> > +               { ARM_SMMU_CB_FSR_ASF,    "ASF"    },
> > +               { ARM_SMMU_CB_FSR_TLBLKF, "TLBLKF" },
> > +               { ARM_SMMU_CB_FSR_TLBMCF, "TLBMCF" },
> > +               { ARM_SMMU_CB_FSR_EF,     "EF"     },
> > +               { ARM_SMMU_CB_FSR_PF,     "PF"     },
> > +               { ARM_SMMU_CB_FSR_AFF,    "AFF"    },
> > +               { ARM_SMMU_CB_FSR_TF,     "TF"     },
> > +       };
> > +       char *p = buf;
> > +
> > +       p += sprintf(p, "FORMAT=%u",
> > +                    (u32)FIELD_GET(ARM_SMMU_CB_FSR_FORMAT, fsr));
> > +
> > +       for (int i = 0; i < ARRAY_SIZE(fsr_bits); i++)
> > +               if (fsr & fsr_bits[i].mask)
> > +                       p += sprintf(p, "|%s", fsr_bits[i].name);
> > +}
>
> Buffer overflow alert: I suggest passing the buffer size as an
> additional "size" parameter to the function.
> Based on that size parameter, we must ensure that `p` doesn't reach
> out of bounds.
> Maybe using snprintf() to limit the num of characters to the "size"
> parameter would make more sense.

I thought about this, but decided that, since nothing about the string
length is attacker controlled, and there were really only two users,
the simpler "just make the buffer big enough" approach would be fine.
It isn't like there will be a whole bunch more bitfields added.

Perhaps I should just add a #define for buf length, and a WARN_ON() if
that is exceeded.  That plus a selftest which calls both the fxns with
register value of ~0 should be enough to prevent any future change
from introducing an overflow.

BR,
-R

> > +
> > +void arm_smmu_parse_fsynr0(char buf[80], u32 fsynr)
>
> Ditto, for this function and also for the signatures in the .h file.
>
>
> > +{
> > +       static const struct {
> > +               u32 mask;
> > +               const char *name;
> > +       } fsynr0_bits[] = {
> > +               { ARM_SMMU_CB_FSYNR0_WNR,    "WNR"    },
> > +               { ARM_SMMU_CB_FSYNR0_PNU,    "PNU"    },
> > +               { ARM_SMMU_CB_FSYNR0_IND,    "IND"    },
> > +               { ARM_SMMU_CB_FSYNR0_NSATTR, "NSATTR" },
> > +               { ARM_SMMU_CB_FSYNR0_PTWF,   "PTWF"   },
> > +               { ARM_SMMU_CB_FSYNR0_AFR,    "AFR"    },
> > +       };
> > +       char *p = buf;
> > +
> > +       p += sprintf(p, "S1CBNDX=%u",
> > +                    (u32)FIELD_GET(ARM_SMMU_CB_FSYNR0_S1CBNDX, fsynr));
> > +
> > +       for (int i = 0; i < ARRAY_SIZE(fsynr0_bits); i++)
> > +               if (fsynr & fsynr0_bits[i].mask)
> > +                       p += sprintf(p, "|%s", fsynr0_bits[i].name);
> > +
> > +       p += sprintf(p, "|PLVL=%u",
> > +                    (u32)FIELD_GET(ARM_SMMU_CB_FSYNR0_PLVL, fsynr));
> > +}
> > +
> >  static irqreturn_t arm_smmu_context_fault(int irq, void *dev)
> >  {
> >         u32 fsr, fsynr, cbfrsynra;
> >         unsigned long iova;
> >         struct arm_smmu_domain *smmu_domain = dev;
> >         struct arm_smmu_device *smmu = smmu_domain->smmu;
> > +       static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
> > +                                     DEFAULT_RATELIMIT_BURST);
> >         int idx = smmu_domain->cfg.cbndx;
> >         int ret;
> >
> > @@ -423,13 +478,22 @@ static irqreturn_t arm_smmu_context_fault(int irq, void *dev)
> >         cbfrsynra = arm_smmu_gr1_read(smmu, ARM_SMMU_GR1_CBFRSYNRA(idx));
> >
> >         ret = report_iommu_fault(&smmu_domain->domain, NULL, iova,
> > -               fsynr & ARM_SMMU_FSYNR0_WNR ? IOMMU_FAULT_WRITE : IOMMU_FAULT_READ);
> > +               fsynr & ARM_SMMU_CB_FSYNR0_WNR ? IOMMU_FAULT_WRITE : IOMMU_FAULT_READ);
> > +
> > +       if (ret == -ENOSYS && __ratelimit(&rs)) {
> > +               char buf[80];
> >
> > -       if (ret == -ENOSYS)
> > -               dev_err_ratelimited(smmu->dev,
> > +               dev_err(smmu->dev,
> >                 "Unhandled context fault: fsr=0x%x, iova=0x%08lx, fsynr=0x%x, cbfrsynra=0x%x, cb=%d\n",
> >                             fsr, iova, fsynr, cbfrsynra, idx);
> >
> > +               arm_smmu_parse_fsr(buf, fsr);
> > +               dev_err(smmu->dev, "FSR: %s\n", buf);
> > +
> > +               arm_smmu_parse_fsynr0(buf, fsynr);
> > +               dev_err(smmu->dev, "FSYNR0: %s\n", buf);
> > +       }
> > +
> >         arm_smmu_cb_write(smmu, idx, ARM_SMMU_CB_FSR, fsr);
> >         return IRQ_HANDLED;
> >  }
> > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.h b/drivers/iommu/arm/arm-smmu/arm-smmu.h
> > index 4765c6945c34..763ea52fca64 100644
> > --- a/drivers/iommu/arm/arm-smmu/arm-smmu.h
> > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.h
> > @@ -196,34 +196,46 @@ enum arm_smmu_cbar_type {
> >  #define ARM_SMMU_CB_PAR_F              BIT(0)
> >
> >  #define ARM_SMMU_CB_FSR                        0x58
> > -#define ARM_SMMU_FSR_MULTI             BIT(31)
> > -#define ARM_SMMU_FSR_SS                        BIT(30)
> > -#define ARM_SMMU_FSR_UUT               BIT(8)
> > -#define ARM_SMMU_FSR_ASF               BIT(7)
> > -#define ARM_SMMU_FSR_TLBLKF            BIT(6)
> > -#define ARM_SMMU_FSR_TLBMCF            BIT(5)
> > -#define ARM_SMMU_FSR_EF                        BIT(4)
> > -#define ARM_SMMU_FSR_PF                        BIT(3)
> > -#define ARM_SMMU_FSR_AFF               BIT(2)
> > -#define ARM_SMMU_FSR_TF                        BIT(1)
> > -
> > -#define ARM_SMMU_FSR_IGN               (ARM_SMMU_FSR_AFF |             \
> > -                                        ARM_SMMU_FSR_ASF |             \
> > -                                        ARM_SMMU_FSR_TLBMCF |          \
> > -                                        ARM_SMMU_FSR_TLBLKF)
> > -
> > -#define ARM_SMMU_FSR_FAULT             (ARM_SMMU_FSR_MULTI |           \
> > -                                        ARM_SMMU_FSR_SS |              \
> > -                                        ARM_SMMU_FSR_UUT |             \
> > -                                        ARM_SMMU_FSR_EF |              \
> > -                                        ARM_SMMU_FSR_PF |              \
> > -                                        ARM_SMMU_FSR_TF |              \
> > +#define ARM_SMMU_CB_FSR_MULTI          BIT(31)
> > +#define ARM_SMMU_CB_FSR_SS             BIT(30)
> > +#define ARM_SMMU_CB_FSR_FORMAT         GENMASK(10, 9)
> > +#define ARM_SMMU_CB_FSR_UUT            BIT(8)
> > +#define ARM_SMMU_CB_FSR_ASF            BIT(7)
> > +#define ARM_SMMU_CB_FSR_TLBLKF         BIT(6)
> > +#define ARM_SMMU_CB_FSR_TLBMCF         BIT(5)
> > +#define ARM_SMMU_CB_FSR_EF             BIT(4)
> > +#define ARM_SMMU_CB_FSR_PF             BIT(3)
> > +#define ARM_SMMU_CB_FSR_AFF            BIT(2)
> > +#define ARM_SMMU_CB_FSR_TF             BIT(1)
> > +
> > +void arm_smmu_parse_fsr(char buf[80], u32 fsr);
> > +
> > +#define ARM_SMMU_FSR_IGN               (ARM_SMMU_CB_FSR_AFF |          \
> > +                                        ARM_SMMU_CB_FSR_ASF |          \
> > +                                        ARM_SMMU_CB_FSR_TLBMCF |       \
> > +                                        ARM_SMMU_CB_FSR_TLBLKF)
> > +
> > +#define ARM_SMMU_FSR_FAULT             (ARM_SMMU_CB_FSR_MULTI |        \
> > +                                        ARM_SMMU_CB_FSR_SS |           \
> > +                                        ARM_SMMU_CB_FSR_UUT |          \
> > +                                        ARM_SMMU_CB_FSR_EF |           \
> > +                                        ARM_SMMU_CB_FSR_PF |           \
> > +                                        ARM_SMMU_CB_FSR_TF |           \
> >                                          ARM_SMMU_FSR_IGN)
> >
> >  #define ARM_SMMU_CB_FAR                        0x60
> >
> >  #define ARM_SMMU_CB_FSYNR0             0x68
> > -#define ARM_SMMU_FSYNR0_WNR            BIT(4)
> > +#define ARM_SMMU_CB_FSYNR0_PLVL                GENMASK(1, 0)
> > +#define ARM_SMMU_CB_FSYNR0_WNR         BIT(4)
> > +#define ARM_SMMU_CB_FSYNR0_PNU         BIT(5)
> > +#define ARM_SMMU_CB_FSYNR0_IND         BIT(6)
> > +#define ARM_SMMU_CB_FSYNR0_NSATTR      BIT(8)
> > +#define ARM_SMMU_CB_FSYNR0_PTWF                BIT(10)
> > +#define ARM_SMMU_CB_FSYNR0_AFR         BIT(11)
> > +#define ARM_SMMU_CB_FSYNR0_S1CBNDX     GENMASK(23, 16)
> > +
> > +void arm_smmu_parse_fsynr0(char buf[80], u32 fsynr);
>
> Apart from the buffer overflow, everything else looks fine to me.
>
> >
> >  #define ARM_SMMU_CB_FSYNR1             0x6c
> >
> > --
> > 2.45.2
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ