| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e0bb4d89-e3e3-45b8-8818-edca8df57d0f@nvidia.com>
Date: Wed, 10 Dec 2025 21:12:38 +0000
From: Chaitanya Kulkarni <chaitanyak@...dia.com>
To: Sebastian Ott <sebott@...hat.com>
CC: Keith Busch <kbusch@...nel.org>, "linux-nvme@...ts.infradead.org"
<linux-nvme@...ts.infradead.org>, "iommu@...ts.linux.dev"
<iommu@...ts.linux.dev>, Robin Murphy <robin.murphy@....com>,
"linux-block@...r.kernel.org" <linux-block@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-xfs@...r.kernel.org" <linux-xfs@...r.kernel.org>, Jens Axboe
<axboe@...com>, Christoph Hellwig <hch@....de>, Will Deacon
<will@...nel.org>, Carlos Maiolino <cem@...nel.org>, Leon Romanovsky
<leon@...nel.org>
Subject: Re: WARNING: drivers/iommu/io-pgtable-arm.c:639
On 12/10/25 09:12, Sebastian Ott wrote:
> On Wed, 10 Dec 2025, Chaitanya Kulkarni wrote:
>> (+ Leon Romanovsky)
>>
>> On 12/9/25 20:05, Keith Busch wrote:
>>> On Wed, Dec 10, 2025 at 02:30:50AM +0000, Chaitanya Kulkarni wrote:
>>>> @@ -126,17 +126,26 @@ static bool blk_rq_dma_map_iova(struct
>>>> request *req, struct device *dma_dev,
>>>> error = dma_iova_link(dma_dev, state, vec->paddr, mapped,
>>>> vec->len, dir, attrs);
>>>> if (error)
>>>> - break;
>>>> + goto out_unlink;
>>>> mapped += vec->len;
>>>> } while (blk_map_iter_next(req, &iter->iter, vec));
>>>>
>>>> error = dma_iova_sync(dma_dev, state, 0, mapped);
>>>> - if (error) {
>>>> - iter->status = errno_to_blk_status(error);
>>>> - return false;
>>>> - }
>>>> + if (error)
>>>> + goto out_unlink;
>>>>
>>>> return true;
>>>> +
>>>> +out_unlink:
>>>> + /*
>>>> + * Unlink any partial mapping to avoid unmap mismatch later.
>>>> + * If we mapped some bytes but not all, we must clean up now
>>>> + * to prevent attempting to unmap more than was actually mapped.
>>>> + */
>>>> + if (mapped)
>>>> + dma_iova_unlink(dma_dev, state, 0, mapped, dir, attrs);
>>>> + iter->status = errno_to_blk_status(error);
>>>> + return false;
>>>> }
>>> It does look like a bug to continue on when dma_iova_link() fails as
>>> the
>>> caller thinks the entire mapping was successful, but I think you also
>>> need to call dma_iova_free() to undo the earlier dma_iova_try_alloc(),
>>> otherwise iova space is leaked.
>>
>> Thanks for catching that, see updated version of this patch [1].
>>
>>> I'm a bit doubtful this error condition was hit though: this sequence
>>> is largely the same as it was in v6.18 before the regression. The only
>>> difference since then should just be for handling P2P DMA across a host
>>> bridge, which I don't think applies to the reported bug since that's a
>>> pretty unusual thing to do.
>>
>> That's why I've asked reporter to test it.
>>
>> Either way, IMO both of the patches are still needed.
>>
>
> The patch Keith posted fixes the issue for me. Should I do another run
> with only these 2 applied?
>
no need for another run, these fixes are needed anyways.
I'll send formal patches for these.
Thanks for reporting this.
-ck
Powered by blists - more mailing lists