| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSZHO6otK0Heh+Qj@devgpu015.cco6.facebook.com>
Date: Tue, 25 Nov 2025 16:18:03 -0800
From: Alex Mastro <amastro@...com>
To: Leon Romanovsky <leon@...nel.org>
CC: Bjorn Helgaas <bhelgaas@...gle.com>,
Logan Gunthorpe
<logang@...tatee.com>, Jens Axboe <axboe@...nel.dk>,
Robin Murphy
<robin.murphy@....com>, Joerg Roedel <joro@...tes.org>,
Will Deacon
<will@...nel.org>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Jason
Gunthorpe <jgg@...pe.ca>,
Andrew Morton <akpm@...ux-foundation.org>,
Jonathan
Corbet <corbet@....net>,
Sumit Semwal <sumit.semwal@...aro.org>,
Christian
König <christian.koenig@....com>,
Kees Cook
<kees@...nel.org>,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Ankit
Agrawal <ankita@...dia.com>, Yishai Hadas <yishaih@...dia.com>,
Shameer
Kolothum <skolothumtho@...dia.com>,
Kevin Tian <kevin.tian@...el.com>, Alex
Williamson <alex@...zbot.org>,
Krishnakant Jaju <kjaju@...dia.com>, Matt Ochs
<mochs@...dia.com>,
<linux-pci@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<linux-block@...r.kernel.org>, <iommu@...ts.linux.dev>,
<linux-mm@...ck.org>, <linux-doc@...r.kernel.org>,
<linux-media@...r.kernel.org>, <dri-devel@...ts.freedesktop.org>,
<linaro-mm-sig@...ts.linaro.org>, <kvm@...r.kernel.org>,
<linux-hardening@...r.kernel.org>, Nicolin Chen <nicolinc@...dia.com>,
Jason
Gunthorpe <jgg@...dia.com>
Subject: Re: [PATCH v9 06/11] dma-buf: provide phys_vec to scatter-gather
mapping routine
On Thu, Nov 20, 2025 at 11:28:25AM +0200, Leon Romanovsky wrote:
> +static struct scatterlist *fill_sg_entry(struct scatterlist *sgl, size_t length,
> + dma_addr_t addr)
> +{
> + unsigned int len, nents;
> + int i;
> +
> + nents = DIV_ROUND_UP(length, UINT_MAX);
> + for (i = 0; i < nents; i++) {
> + len = min_t(size_t, length, UINT_MAX);
> + length -= len;
> + /*
> + * DMABUF abuses scatterlist to create a scatterlist
> + * that does not have any CPU list, only the DMA list.
> + * Always set the page related values to NULL to ensure
> + * importers can't use it. The phys_addr based DMA API
> + * does not require the CPU list for mapping or unmapping.
> + */
> + sg_set_page(sgl, NULL, 0, 0);
> + sg_dma_address(sgl) = addr + i * UINT_MAX;
(i * UINT_MAX) happens in 32-bit before being promoted to dma_addr_t for
addition with addr. Overflows for i >=2 when length >= 8 GiB. Needs a cast:
sg_dma_address(sgl) = addr + (dma_addr_t)i * UINT_MAX;
Discovered this while debugging why dma-buf import was failing for
an 8 GiB dma-buf using my earlier toy program [1]. It was surfaced by
ib_umem_find_best_pgsz() returning 0 due to malformed scatterlist, which bubbles
up as an EINVAL.
$ ./test_dmabuf 0000:05:00.0 3 4 0 0x200000000
opening 0000:05:00.0 via /dev/vfio/56
allocating dma_buf bar_idx=4, bar_offset=0x0, size=0x200000000
allocated dma_buf fd=6
discovered 4 ibv devices: mlx5_0 mlx5_1 mlx5_2 mlx5_3
opened ibv device 3: mlx5_3
test_dmabuf.c:154 Condition failed: 'mr' (errno=22: Invalid argument)
$ sudo retsnoop -e mlx5_ib_reg_user_mr_dmabuf -a 'mlx5*' -a 'ib_umem*' -a '*umr*' -a 'vfio_pci*' -a 'dma_buf_*' -x EINVAL -T
Receiving data...
13:56:22.257907 -> 13:56:22.258275 TID/PID 948895/948895 (test_dmabuf/test_dmabuf):
FUNCTION CALLS RESULT DURATION
-------------------------------------------- -------------------- ---------
→ mlx5_ib_reg_user_mr_dmabuf
↔ mlx5r_umr_resource_init [0] 2.224us
→ ib_umem_dmabuf_get
→ ib_umem_dmabuf_get_with_dma_device
↔ dma_buf_get [0xff11012a6a098c00] 0.972us
→ dma_buf_dynamic_attach
↔ vfio_pci_dma_buf_attach [0] 2.003us
← dma_buf_dynamic_attach [0xff1100012793e400] 10.566us
← ib_umem_dmabuf_get_with_dma_device [0xff110127a6c74480] 15.794us
← ib_umem_dmabuf_get [0xff110127a6c74480] 25.258us
→ mlx5_ib_init_dmabuf_mr
→ ib_umem_dmabuf_map_pages
→ dma_buf_map_attachment
→ vfio_pci_dma_buf_map
↔ dma_buf_map [0xff1100012977f700] 4.918us
← vfio_pci_dma_buf_map [0xff1100012977f700] 8.362us
← dma_buf_map_attachment [0xff1100012977f700] 10.956us
← ib_umem_dmabuf_map_pages [0] 17.336us
↔ ib_umem_find_best_pgsz [0] 6.280us
→ ib_umem_dmabuf_unmap_pages
→ dma_buf_unmap_attachment
→ vfio_pci_dma_buf_unmap
↔ dma_buf_unmap [void] 2.023us
← vfio_pci_dma_buf_unmap [void] 6.700us
← dma_buf_unmap_attachment [void] 8.142us
← ib_umem_dmabuf_unmap_pages [void] 14.953us
← mlx5_ib_init_dmabuf_mr [-EINVAL] 67.272us
→ mlx5r_umr_revoke_mr
→ mlx5r_umr_post_send_wait
→ mlx5r_umr_post_send
↔ mlx5r_begin_wqe [0] 1.703us
↔ mlx5r_finish_wqe [void] 1.633us
↔ mlx5r_ring_db [void] 1.312us
← mlx5r_umr_post_send [0] 27.451us
← mlx5r_umr_post_send_wait [0] 126.541us
← mlx5r_umr_revoke_mr [0] 141.925us
→ ib_umem_release
→ ib_umem_dmabuf_release
↔ ib_umem_dmabuf_revoke [void] 1.582us
↔ dma_buf_detach [void] 3.765us
↔ dma_buf_put [void] 0.531us
← ib_umem_dmabuf_release [void] 23.315us
← ib_umem_release [void] 40.301us
← mlx5_ib_reg_user_mr_dmabuf [-EINVAL] 363.280us
[1] https://lore.kernel.org/all/aQkLcAxEn4qmF3c4@devgpu015.cco6.facebook.com/
Alex
Powered by blists - more mailing lists