| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a0a5cf96-70fe-4005-a100-58ae0b72b4cd@oss.qualcomm.com>
Date: Wed, 10 Dec 2025 15:57:56 +0530
From: Vijayanand Jitta <vijayanand.jitta@....qualcomm.com>
To: Rob Herring <robh@...nel.org>
Cc: robin.murphy@....com, will@...nel.org, joro@...tes.org,
dmitry.baryshkov@....qualcomm.com, konrad.dybcio@....qualcomm.com,
bjorn.andersson@....qualcomm.com, bod@...nel.org, conor+dt@...nel.org,
krzk+dt@...nel.org, charan.kalla@....qualcomm.com,
prakash.gupta@....qualcomm.com, vikash.garodia@....qualcomm.com,
iommu@...ts.linux.dev, linux-kernel@...r.kernel.org,
devicetree@...r.kernel.org
Subject: Re: [PATCH v2 3/3] of: Respect #{iommu,msi}-cells in maps
On 12/10/2025 1:47 AM, Rob Herring wrote:
> On Thu, Dec 04, 2025 at 03:25:30PM +0530, Vijayanand Jitta wrote:
>> From: Robin Murphy <robin.murphy@....com>
>>
>> So far our parsing of {iommu,msi}-map properites has always blindly
>> asusmed that the output specifiers will always have exactly 1 cell.
>> This typically does happen to be the case, but is not actually enforced
>> (and the PCI msi-map binding even explicitly states support for 0 or 1
>> cells) - as a result we've now ended up with dodgy DTs out in the field
>> which depend on this behaviour to map a 1-cell specifier for a 2-cell
>> provider, despite that being bogus per the bindings themselves.
>>
>> Since there is some potential use in being able to map at least single
>> input IDs to multi-cell output specifiers (and properly support 0-cell
>> outputs as well), add support for properly parsing and using the target
>> nodes' #cells values, albeit with the unfortunate complication of still
>> having to work around expectations of the old behaviour too.
>>
>> Since there are multi-cell output specifiers, the callers of of_map_id()
>> may need to get the exact cell output value for further processing.
>> Added support for that part --charan
>>
>> Signed-off-by: Robin Murphy <robin.murphy@....com>
>> Signed-off-by: Vijayanand Jitta <vijayanand.jitta@....qualcomm.com>
>> ---
>> drivers/iommu/of_iommu.c | 3 +-
>> drivers/of/base.c | 107 ++++++++++++++++++++++++++++++---------
>> include/linux/of.h | 17 ++++---
>> 3 files changed, 94 insertions(+), 33 deletions(-)
>>
>> diff --git a/drivers/iommu/of_iommu.c b/drivers/iommu/of_iommu.c
>> index eac62bc441c5..48759cf1d900 100644
>> --- a/drivers/iommu/of_iommu.c
>> +++ b/drivers/iommu/of_iommu.c
>> @@ -45,10 +45,11 @@ static int of_iommu_configure_dev_id(struct device_node *master_np,
>> struct device *dev,
>> const u32 *id)
>> {
>> - struct of_phandle_args iommu_spec = { .args_count = 1 };
>> + struct of_phandle_args iommu_spec = {};
>> struct of_map_id_arg arg = {
>> .target = &iommu_spec.np,
>> .id_out = iommu_spec.args,
>> + .map_cells = &iommu_spec.args_count,
>> };
>> int err;
>>
>> diff --git a/drivers/of/base.c b/drivers/of/base.c
>> index b8f78a9e6a09..68a7d6ddba66 100644
>> --- a/drivers/of/base.c
>> +++ b/drivers/of/base.c
>> @@ -2045,11 +2045,30 @@ int of_find_last_cache_level(unsigned int cpu)
>> return cache_level;
>> }
>>
>> +/*
>> + * Some DTs have an iommu-map targeting a 2-cell IOMMU node while
>> + * specifying only 1 cell. Fortunately they all consist of length == 1
>> + * entries with the same target, so check for that pattern.
>
> Can you show what a bad entry looks like here.
>
Sure, will add an example in the comments. Basically it would look like below.
for iommu with iommu-cells = <2>;
Device having below iommu-map property.
iommu-map = <0x0000 &smmu 0x0000 0x1>,
<0x0100 &smmu 0x0100 0x1>;
>> + */
>> +static bool of_check_bad_map(const __be32 *map, int len)
>> +{
>> + __be32 phandle = map[1];
>> +
>> + if (len % 4)
>> + return false;
>> + for (int i = 0; i < len; i += 4) {
>> + if (map[i + 1] != phandle || map[i + 3] != cpu_to_be32(1))
>
> Why does the IOMMU arg cell have to be 1? The description said 'same
> target', but it is just all have an IOMMU cell value of 1?
>
Here, the check is for length argument to be 1. This is to maintain backward
compatibility as mentioned above, as all such bad entries right now have
length as 1.
>> + return false;
>> + }
>> + return true;
>> +}
>> +
>> /**
>> * of_map_id - Translate an ID through a downstream mapping.
>> * @np: root complex device node.
>> * @id: device ID to map.
>> * @map_name: property name of the map to use.
>> + * @cells_name: property name of target specifier cells.
>> * @map_mask_name: optional property name of the mask to use.
>> * @arg: contains the optional params, @target which is a pointer
>> * to the target device node and id_out which is a pointer
>> @@ -2065,18 +2084,19 @@ int of_find_last_cache_level(unsigned int cpu)
>> *
>> * Return: 0 on success or a standard error code on failure.
>> */
>> -int of_map_id(const struct device_node *np, u32 id,
>> - const char *map_name, const char *map_mask_name,
>> - struct of_map_id_arg *arg)
>> +int of_map_id(const struct device_node *np, u32 id, const char *map_name,
>> + const char *cells_name, const char *map_mask_name,
>> + struct of_map_id_arg *arg)
>> {
>> u32 map_mask, masked_id;
>> - int map_len;
>> + int map_bytes, map_len, offset = 0;
>> + bool bad_map = false;
>> const __be32 *map = NULL;
>>
>> if (!np || !map_name || !arg || (!arg->target && !arg->id_out))
>> return -EINVAL;
>>
>> - map = of_get_property(np, map_name, &map_len);
>> + map = of_get_property(np, map_name, &map_bytes);
>> if (!map) {
>> if (arg->target)
>> return -ENODEV;
>> @@ -2085,11 +2105,9 @@ int of_map_id(const struct device_node *np, u32 id,
>> return 0;
>> }
>>
>> - if (!map_len || map_len % (4 * sizeof(*map))) {
>> - pr_err("%pOF: Error: Bad %s length: %d\n", np,
>> - map_name, map_len);
>> - return -EINVAL;
>> - }
>> + if (map_bytes % sizeof(*map))
>> + goto err_map_len;
>> + map_len = map_bytes / sizeof(*map);
>>
>> /* The default is to select all bits. */
>> map_mask = 0xffffffff;
>> @@ -2102,27 +2120,62 @@ int of_map_id(const struct device_node *np, u32 id,
>> of_property_read_u32(np, map_mask_name, &map_mask);
>>
>> masked_id = map_mask & id;
>> - for ( ; map_len > 0; map_len -= 4 * sizeof(*map), map += 4) {
>> + while (offset < map_len) {
>> struct device_node *phandle_node;
>> - u32 id_base = be32_to_cpup(map + 0);
>> - u32 phandle = be32_to_cpup(map + 1);
>> - u32 out_base = be32_to_cpup(map + 2);
>> - u32 id_len = be32_to_cpup(map + 3);
>> + u32 id_base, phandle, cells, id_len, id_off;
>> + const __be32 *out_base;
>> +
>> + if (map_len - offset < 2)
>> + goto err_map_len;
>>
>> + id_base = be32_to_cpup(map + offset);
>> if (id_base & ~map_mask) {
>> - pr_err("%pOF: Invalid %s translation - %s-mask (0x%x) ignores id-base (0x%x)\n",
>> - np, map_name, map_name,
>> + pr_err("%pOF: Invalid %s translation - %s (0x%x) ignores id-base (0x%x)\n",
>> + np, map_name, map_mask_name,
>> map_mask, id_base);
>> return -EFAULT;
>> }
>>
>> - if (masked_id < id_base || masked_id >= id_base + id_len)
>> - continue;
>> -
>> + phandle = be32_to_cpup(map + offset + 1);
>> phandle_node = of_find_node_by_phandle(phandle);
>> if (!phandle_node)
>> return -ENODEV;
>>
>> + if (!bad_map && of_property_read_u32(phandle_node, cells_name, &cells)) {
>> + pr_err("%pOF: missing %s property\n", phandle_node, cells_name);
>> + return -EINVAL;
>> + }
>> +
>> + if (map_len - offset < 3 + cells)
>> + goto err_map_len;
>> +
>> + if (offset == 0 && cells == 2) {
>> + bad_map = of_check_bad_map(map, map_len);
>> + if (bad_map) {
>> + pr_warn_once("%pOF: %s mismatches target %s, assuming extra cell of 0\n",
>> + np, map_name, cells_name);
>> + cells = 1;
>> + }
>> + }
>> +
>> + out_base = map + offset + 2;
>> + offset += 3 + cells;
>> +
>> + id_len = be32_to_cpup(map + offset - 1);
>> + if (id_len > 1 && cells > 1) {
>> + /*
>> + * With 1 output cell we reasonably assume its value
>> + * has a linear relationship to the input; with more,
>> + * we'd need help from the provider to know what to do.
>> + */
>> + pr_err("%pOF: Unsupported %s - cannot handle %d-ID range with %d-cell output specifier\n",
>> + np, map_name, id_len, cells);
>> + return -EINVAL;
>> + }
>> + id_off = masked_id - id_base;
>> + if (masked_id < id_base || id_off >= id_len)
>> + continue;
>> +
>> if (arg->target) {
>> if (*arg->target)
>> of_node_put(phandle_node);
>> @@ -2133,12 +2186,14 @@ int of_map_id(const struct device_node *np, u32 id,
>> continue;
>> }
>>
>> - if (arg->id_out)
>> - *arg->id_out = masked_id - id_base + out_base;
>> + for (int i = 0; arg->id_out && i < cells; i++)
>> + arg->id_out[i] = id_off + be32_to_cpu(out_base[i]);
>>
>> + if (arg->map_cells)
>> + *arg->map_cells = cells;
>> pr_debug("%pOF: %s, using mask %08x, id-base: %08x, out-base: %08x, length: %08x, id: %08x -> %08x\n",
>> - np, map_name, map_mask, id_base, out_base,
>> - id_len, id, masked_id - id_base + out_base);
>> + np, map_name, map_mask, id_base, be32_to_cpup(out_base),
>> + id_len, id, id_off + be32_to_cpup(out_base));
>> return 0;
>> }
>>
>> @@ -2149,5 +2204,9 @@ int of_map_id(const struct device_node *np, u32 id,
>> if (arg->id_out)
>> *arg->id_out = id;
>> return 0;
>> +
>> +err_map_len:
>> + pr_err("%pOF: Error: Bad %s length: %d\n", np, map_name, map_bytes);
>> + return -EINVAL;
>> }
>> EXPORT_SYMBOL_GPL(of_map_id);
>> diff --git a/include/linux/of.h b/include/linux/of.h
>> index 21bdce2b37ca..1981509c7918 100644
>> --- a/include/linux/of.h
>> +++ b/include/linux/of.h
>> @@ -29,6 +29,7 @@ struct device_node;
>> struct of_map_id_arg {
>> struct device_node **target;
>> u32 *id_out;
>> + u32 *map_cells;
>> };
>>
>> struct property {
>> @@ -462,9 +463,9 @@ const char *of_prop_next_string(const struct property *prop, const char *cur);
>>
>> bool of_console_check(const struct device_node *dn, char *name, int index);
>>
>> -int of_map_id(const struct device_node *np, u32 id,
>> - const char *map_name, const char *map_mask_name,
>> - struct of_map_id_arg *arg);
>> +int of_map_id(const struct device_node *np, u32 id, const char *map_name,
>> + const char *cells_name, const char *map_mask_name,
>> + struct of_map_id_arg *arg);
>>
>> phys_addr_t of_dma_get_max_cpu_address(struct device_node *np);
>>
>> @@ -911,9 +912,9 @@ static inline void of_property_clear_flag(struct property *p, unsigned long flag
>> {
>> }
>>
>> -static inline int of_map_id(const struct device_node *np, u32 id,
>> - const char *map_name, const char *map_mask_name,
>> - struct of_map_id_arg *arg)
>> +static inline int of_map_id(const struct device_node *np, u32 id, const char *map_name,
>> + const char *cells_name, const char *map_mask_name,
>> + struct of_map_id_arg *arg);
>> {
>> return -EINVAL;
>> }
>> @@ -1444,7 +1445,7 @@ static inline int of_property_read_s32(const struct device_node *np,
>> static inline int of_map_iommu_id(const struct device_node *np, u32 id,
>> struct of_map_id_arg *arg)
>> {
>> - return of_map_id(np, id, "iommu-map", "iommu-map-mask", arg);
>> + return of_map_id(np, id, "iommu-map", "#iommu-cells", "iommu-map-mask", arg);
>> }
>>
>> static inline int of_map_msi_id(const struct device_node *np, u32 id,
>> @@ -1455,7 +1456,7 @@ static inline int of_map_msi_id(const struct device_node *np, u32 id,
>> .id_out = id_out,
>> };
>>
>> - return of_map_id(np, id, "msi-map", "msi-map-mask", &arg);
>> + return of_map_id(np, id, "msi-map", "#msi-cells", "msi-map-mask", &arg);
>
> There are cases of no #msi-cells and we default to 0 cells in that case.
> Do you maintain that?
>
> Rob
Thanks for pointing this, I see this case of no #msi-cells is not covered. Will
add it in next revision. Also, IIUC shouldn't we set default cells to '1' to
maintain backward compatibility of of_map_id in this case ? No ?
Thanks,
Vijay
Powered by blists - more mailing lists