From: Steven Sistare <steven.sistare@oracle.com>
To: Alex Williamson <alex.williamson@redhat.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Cc: kbuild@lists.01.org, lkp@intel.com, kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>,
Cornelia Huck <cohuck@redhat.com>
Subject: Re: [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
Date: Tue, 23 Feb 2021 08:56:36 -0500 [thread overview]
Message-ID: <de835b3f-8aef-2879-f637-97a24e810570@oracle.com> (raw)
In-Reply-To: <20210222161753.7acc4e92@omen.home.shazbot.org>
On 2/22/2021 6:17 PM, Alex Williamson wrote:
> On Mon, 22 Feb 2021 15:51:45 -0700
> Alex Williamson <alex.williamson@redhat.com> wrote:
>
>> On Mon, 22 Feb 2021 17:10:43 +0300
>> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>>
>>> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
>>> head: 37dfbfbdca66834bc0f64ec9b35e09ac6c8898da
>>> commit: 0f53afa12baec8c00f5d1d6afb49325ada105253 [6931/12022] vfio/type1: unmap cleanup
>>
>> It's always the patches that claim no functional change... ;)
>>
>>> config: i386-randconfig-m021-20210222 (attached as .config)
>>> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
>>>
>>> If you fix the issue, kindly add following tag as appropriate
>>> Reported-by: kernel test robot <lkp@intel.com>
>>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>>>
>>> New smatch warnings:
>>> drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
>>>
>>> vim +1093 drivers/vfio/vfio_iommu_type1.c
>>>
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1071 static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1072 struct vfio_iommu_type1_dma_unmap *unmap,
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1073 struct vfio_bitmap *bitmap)
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1074 {
>>> c086de818dd81c Kirti Wankhede 2016-11-17 1075 struct vfio_dma *dma, *dma_last = NULL;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1076 size_t unmapped = 0, pgsize;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1077 int ret = -EINVAL, retries = 0;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1078 unsigned long pgshift;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1079 dma_addr_t iova = unmap->iova;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1080 unsigned long size = unmap->size;
>>> ^^^^^^^^^^^^^^^^^^
>>>
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1081
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1082 mutex_lock(&iommu->lock);
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1083
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1084 pgshift = __ffs(iommu->pgsize_bitmap);
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1085 pgsize = (size_t)1 << pgshift;
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1086
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1087 if (iova & (pgsize - 1))
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1088 goto unlock;
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1089
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1090 if (!size || size & (pgsize - 1))
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1091 goto unlock;
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1092
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 @1093 if (iova + size - 1 < iova || size > SIZE_MAX)
>>>
>>> size is unsigned long and SIZE_MAX is ULONG_MAX so "size > SIZE_MAX"
>>> does not make sense.
>>
>> I think it made sense before the above commit, where unmap->size is a
>> __u64 and a user could provide a value that exceeds SIZE_MAX on ILP32.
>> Seems like the fix is probably to use a size_t for the local variable
>> and restore this test to compare (unmap->size > SIZE_MAX). Steve?
>
> Actually it seems like VFIO_DMA_UNMAP_FLAG_ALL doesn't work when
> PHYS_ADDR_MAX != SIZE_MAX (ex. x86 PAE - I think).
It seems like PAE causes problems even before VFIO_DMA_UNMAP_FLAG_ALL.
In the previous vfio_dma_do_unmap code, the u64 unmap->size would be
truncated when passed to vfio_find_dma.
For unmap, these fixes should suffice, and I would rather do this than
disable the unmap-all flag for a corner case:
vfio_dma_do_unmap()
size_t unmapped = 0;
unsigned long size = unmap->size;
==>
u64 unmapped = 0;
u64 size = unmap->size;
static struct rb_node *vfio_find_dma_first_node(
struct vfio_iommu *iommu, dma_addr_t start, size_t size)
==>
static struct rb_node *vfio_find_dma_first_node(
struct vfio_iommu *iommu, dma_addr_t start, u64 size)
And maybe use dma_addr_t instead of u64 in the above (which is 64 bits for
CONFIG_X86_PAE).
However, there are other places in the existing code that need tweaking
to be safe for PAE, the vfio_find_dma() size arg for one.
- Steve
> I can't say I'm
> really interested in adding complexity to make it work in such a case
> either. Maybe we can just not expose it, ex:
>
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index ed03f3fcb07e..6b69a74b3db0 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -1207,7 +1207,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> int ret = -EINVAL, retries = 0;
> unsigned long pgshift;
> dma_addr_t iova = unmap->iova;
> - unsigned long size = unmap->size;
> + size_t size = unmap->size;
> bool unmap_all = unmap->flags & VFIO_DMA_UNMAP_FLAG_ALL;
> bool invalidate_vaddr = unmap->flags & VFIO_DMA_UNMAP_FLAG_VADDR;
> struct rb_node *n, *first_n;
> @@ -1228,7 +1228,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> goto unlock;
> }
>
> - if (iova + size - 1 < iova || size > SIZE_MAX)
> + if (iova + size - 1 < iova || unmap->size > SIZE_MAX)
> goto unlock;
>
> /* When dirty tracking is enabled, allow only min supported pgsize */
> @@ -2657,9 +2657,10 @@ static int vfio_iommu_type1_check_extension(struct vfio_iommu *iommu,
> case VFIO_TYPE1_IOMMU:
> case VFIO_TYPE1v2_IOMMU:
> case VFIO_TYPE1_NESTING_IOMMU:
> - case VFIO_UNMAP_ALL:
> case VFIO_UPDATE_VADDR:
> return 1;
> + case VFIO_UNMAP_ALL:
> + return PHYS_ADDR_MAX == SIZE_MAX ? 1 : 0;
> case VFIO_DMA_CC_IOMMU:
> if (!iommu)
> return 0;
> @@ -2868,6 +2869,10 @@ static int vfio_iommu_type1_unmap_dma(struct vfio_iommu *iommu,
> VFIO_DMA_UNMAP_FLAG_VADDR)))
> return -EINVAL;
>
> + if ((PHYS_ADDR_MAX != SIZE_MAX) &&
> + (unmap.flags & VFIO_DMA_UNMAP_FLAG_ALL))
> + return -EINVAL;
> +
> if (unmap.flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) {
> unsigned long pgshift;
>
>
>
>
>
>>> Is the " - 1" intentional on the other overflow check? As in it's okay
>>> to wrap around to zero but not further than that? Sometimes this is
>>> intentional but it requires more subsystem expertise than I possess.
>>
>> Yes, since we're dealing with a start + length we need to account for
>> the -1 in the end value, otherwise the user could never unmap the last
>> page of the address space. Thanks for the report!
>>
>> Alex
>>
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1094 goto unlock;
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1095
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1096 /* When dirty tracking is enabled, allow only min supported pgsize */
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1097 if ((unmap->flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) &&
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1098 (!iommu->dirty_page_tracking || (bitmap->pgsize != pgsize))) {
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1099 goto unlock;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1100 }
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1101
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1102 WARN_ON((pgsize - 1) & PAGE_MASK);
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1103 again:
>>> 1ef3e2bc04223f Alex Williamson 2014-02-26 1104 /*
>>>
>>> ---
>>> 0-DAY CI Kernel Test Service, Intel Corporation
>>> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
>>
>
WARNING: multiple messages have this Message-ID (diff)
From: Steven Sistare <steven.sistare@oracle.com>
To: kbuild-all@lists.01.org
Subject: Re: [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
Date: Tue, 23 Feb 2021 08:56:36 -0500 [thread overview]
Message-ID: <de835b3f-8aef-2879-f637-97a24e810570@oracle.com> (raw)
In-Reply-To: <20210222161753.7acc4e92@omen.home.shazbot.org>
[-- Attachment #1: Type: text/plain, Size: 7790 bytes --]
On 2/22/2021 6:17 PM, Alex Williamson wrote:
> On Mon, 22 Feb 2021 15:51:45 -0700
> Alex Williamson <alex.williamson@redhat.com> wrote:
>
>> On Mon, 22 Feb 2021 17:10:43 +0300
>> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>>
>>> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
>>> head: 37dfbfbdca66834bc0f64ec9b35e09ac6c8898da
>>> commit: 0f53afa12baec8c00f5d1d6afb49325ada105253 [6931/12022] vfio/type1: unmap cleanup
>>
>> It's always the patches that claim no functional change... ;)
>>
>>> config: i386-randconfig-m021-20210222 (attached as .config)
>>> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
>>>
>>> If you fix the issue, kindly add following tag as appropriate
>>> Reported-by: kernel test robot <lkp@intel.com>
>>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>>>
>>> New smatch warnings:
>>> drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
>>>
>>> vim +1093 drivers/vfio/vfio_iommu_type1.c
>>>
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1071 static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1072 struct vfio_iommu_type1_dma_unmap *unmap,
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1073 struct vfio_bitmap *bitmap)
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1074 {
>>> c086de818dd81c Kirti Wankhede 2016-11-17 1075 struct vfio_dma *dma, *dma_last = NULL;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1076 size_t unmapped = 0, pgsize;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1077 int ret = -EINVAL, retries = 0;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1078 unsigned long pgshift;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1079 dma_addr_t iova = unmap->iova;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1080 unsigned long size = unmap->size;
>>> ^^^^^^^^^^^^^^^^^^
>>>
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1081
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1082 mutex_lock(&iommu->lock);
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1083
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1084 pgshift = __ffs(iommu->pgsize_bitmap);
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1085 pgsize = (size_t)1 << pgshift;
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1086
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1087 if (iova & (pgsize - 1))
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1088 goto unlock;
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1089
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1090 if (!size || size & (pgsize - 1))
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1091 goto unlock;
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1092
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 @1093 if (iova + size - 1 < iova || size > SIZE_MAX)
>>>
>>> size is unsigned long and SIZE_MAX is ULONG_MAX so "size > SIZE_MAX"
>>> does not make sense.
>>
>> I think it made sense before the above commit, where unmap->size is a
>> __u64 and a user could provide a value that exceeds SIZE_MAX on ILP32.
>> Seems like the fix is probably to use a size_t for the local variable
>> and restore this test to compare (unmap->size > SIZE_MAX). Steve?
>
> Actually it seems like VFIO_DMA_UNMAP_FLAG_ALL doesn't work when
> PHYS_ADDR_MAX != SIZE_MAX (ex. x86 PAE - I think).
It seems like PAE causes problems even before VFIO_DMA_UNMAP_FLAG_ALL.
In the previous vfio_dma_do_unmap code, the u64 unmap->size would be
truncated when passed to vfio_find_dma.
For unmap, these fixes should suffice, and I would rather do this than
disable the unmap-all flag for a corner case:
vfio_dma_do_unmap()
size_t unmapped = 0;
unsigned long size = unmap->size;
==>
u64 unmapped = 0;
u64 size = unmap->size;
static struct rb_node *vfio_find_dma_first_node(
struct vfio_iommu *iommu, dma_addr_t start, size_t size)
==>
static struct rb_node *vfio_find_dma_first_node(
struct vfio_iommu *iommu, dma_addr_t start, u64 size)
And maybe use dma_addr_t instead of u64 in the above (which is 64 bits for
CONFIG_X86_PAE).
However, there are other places in the existing code that need tweaking
to be safe for PAE, the vfio_find_dma() size arg for one.
- Steve
> I can't say I'm
> really interested in adding complexity to make it work in such a case
> either. Maybe we can just not expose it, ex:
>
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index ed03f3fcb07e..6b69a74b3db0 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -1207,7 +1207,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> int ret = -EINVAL, retries = 0;
> unsigned long pgshift;
> dma_addr_t iova = unmap->iova;
> - unsigned long size = unmap->size;
> + size_t size = unmap->size;
> bool unmap_all = unmap->flags & VFIO_DMA_UNMAP_FLAG_ALL;
> bool invalidate_vaddr = unmap->flags & VFIO_DMA_UNMAP_FLAG_VADDR;
> struct rb_node *n, *first_n;
> @@ -1228,7 +1228,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> goto unlock;
> }
>
> - if (iova + size - 1 < iova || size > SIZE_MAX)
> + if (iova + size - 1 < iova || unmap->size > SIZE_MAX)
> goto unlock;
>
> /* When dirty tracking is enabled, allow only min supported pgsize */
> @@ -2657,9 +2657,10 @@ static int vfio_iommu_type1_check_extension(struct vfio_iommu *iommu,
> case VFIO_TYPE1_IOMMU:
> case VFIO_TYPE1v2_IOMMU:
> case VFIO_TYPE1_NESTING_IOMMU:
> - case VFIO_UNMAP_ALL:
> case VFIO_UPDATE_VADDR:
> return 1;
> + case VFIO_UNMAP_ALL:
> + return PHYS_ADDR_MAX == SIZE_MAX ? 1 : 0;
> case VFIO_DMA_CC_IOMMU:
> if (!iommu)
> return 0;
> @@ -2868,6 +2869,10 @@ static int vfio_iommu_type1_unmap_dma(struct vfio_iommu *iommu,
> VFIO_DMA_UNMAP_FLAG_VADDR)))
> return -EINVAL;
>
> + if ((PHYS_ADDR_MAX != SIZE_MAX) &&
> + (unmap.flags & VFIO_DMA_UNMAP_FLAG_ALL))
> + return -EINVAL;
> +
> if (unmap.flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) {
> unsigned long pgshift;
>
>
>
>
>
>>> Is the " - 1" intentional on the other overflow check? As in it's okay
>>> to wrap around to zero but not further than that? Sometimes this is
>>> intentional but it requires more subsystem expertise than I possess.
>>
>> Yes, since we're dealing with a start + length we need to account for
>> the -1 in the end value, otherwise the user could never unmap the last
>> page of the address space. Thanks for the report!
>>
>> Alex
>>
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1094 goto unlock;
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1095
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1096 /* When dirty tracking is enabled, allow only min supported pgsize */
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1097 if ((unmap->flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) &&
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1098 (!iommu->dirty_page_tracking || (bitmap->pgsize != pgsize))) {
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1099 goto unlock;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1100 }
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1101
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1102 WARN_ON((pgsize - 1) & PAGE_MASK);
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1103 again:
>>> 1ef3e2bc04223f Alex Williamson 2014-02-26 1104 /*
>>>
>>> ---
>>> 0-DAY CI Kernel Test Service, Intel Corporation
>>> https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
>>
>
next prev parent reply other threads:[~2021-02-23 13:56 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 14:10 [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)' Dan Carpenter
2021-02-22 14:10 ` Dan Carpenter
2021-02-22 14:10 ` Dan Carpenter
2021-02-22 22:51 ` [kbuild] " Alex Williamson
2021-02-22 22:51 ` Alex Williamson
2021-02-22 23:17 ` Alex Williamson
2021-02-22 23:17 ` Alex Williamson
2021-02-23 13:56 ` Steven Sistare [this message]
2021-02-23 13:56 ` Steven Sistare
2021-02-23 17:45 ` Alex Williamson
2021-02-23 17:45 ` Alex Williamson
2021-02-23 20:37 ` Steven Sistare
2021-02-23 20:37 ` Steven Sistare
2021-02-23 21:10 ` Alex Williamson
2021-02-23 21:10 ` Alex Williamson
2021-02-23 21:52 ` Steven Sistare
2021-02-23 21:52 ` Steven Sistare
2021-02-23 23:58 ` Steven Sistare
2021-02-23 23:58 ` Steven Sistare
2021-02-24 22:55 ` Alex Williamson
2021-02-24 22:55 ` Alex Williamson
2021-02-25 15:25 ` Steven Sistare
2021-02-25 15:25 ` Steven Sistare
2021-02-25 18:00 ` Alex Williamson
2021-02-25 18:00 ` Alex Williamson
2021-02-25 18:52 ` Steven Sistare
2021-02-25 18:52 ` Steven Sistare
2021-02-25 19:12 ` Alex Williamson
2021-02-25 19:12 ` Alex Williamson
2021-02-23 13:20 ` Steven Sistare
2021-02-23 13:20 ` Steven Sistare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=de835b3f-8aef-2879-f637-97a24e810570@oracle.com \
--to=steven.sistare@oracle.com \
--cc=alex.williamson@redhat.com \
--cc=cohuck@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.