* [PATCH] iommu/dma: Handle SG length overflow better
@ 2019-07-29 16:46 Robin Murphy
2019-08-06 15:25 ` Joerg Roedel
0 siblings, 1 reply; 5+ messages in thread
From: Robin Murphy @ 2019-07-29 16:46 UTC (permalink / raw)
To: joro; +Cc: Nicolin Chen, iommu
Since scatterlist dimensions are all unsigned ints, in the relatively
rare cases where a device's max_segment_size is set to UINT_MAX, then
the "cur_len + s_length <= max_len" check in __finalise_sg() will always
return true. As a result, the corner case of such a device mapping an
excessively large scatterlist which is mergeable to or beyond a total
length of 4GB can lead to overflow and a bogus truncated dma_length in
the resulting segment.
As we already assume that any single segment must be no longer than
max_len to begin with, this can easily be addressed by reshuffling the
comparison.
Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
---
drivers/iommu/dma-iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index a7f9c3edbcb2..e3098bc0996c 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -764,7 +764,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
* - and wouldn't make the resulting output segment too long
*/
if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
- (cur_len + s_length <= max_len)) {
+ (max_len - cur_len >= s_length)) {
/* ...then concatenate it with the previous one */
cur_len += s_length;
} else {
--
2.21.0.dirty
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/dma: Handle SG length overflow better
2019-07-29 16:46 [PATCH] iommu/dma: Handle SG length overflow better Robin Murphy
@ 2019-08-06 15:25 ` Joerg Roedel
2019-08-06 15:49 ` Robin Murphy
0 siblings, 1 reply; 5+ messages in thread
From: Joerg Roedel @ 2019-08-06 15:25 UTC (permalink / raw)
To: Robin Murphy; +Cc: Nicolin Chen, iommu
Hi Robin,
On Mon, Jul 29, 2019 at 05:46:00PM +0100, Robin Murphy wrote:
> Since scatterlist dimensions are all unsigned ints, in the relatively
> rare cases where a device's max_segment_size is set to UINT_MAX, then
> the "cur_len + s_length <= max_len" check in __finalise_sg() will always
> return true. As a result, the corner case of such a device mapping an
> excessively large scatterlist which is mergeable to or beyond a total
> length of 4GB can lead to overflow and a bogus truncated dma_length in
> the resulting segment.
>
> As we already assume that any single segment must be no longer than
> max_len to begin with, this can easily be addressed by reshuffling the
> comparison.
Has this been triggered in the wild of can this patch wait for the next
merge window?
Regards,
Joerg
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/dma: Handle SG length overflow better
2019-08-06 15:25 ` Joerg Roedel
@ 2019-08-06 15:49 ` Robin Murphy
2019-08-07 1:11 ` Nicolin Chen
0 siblings, 1 reply; 5+ messages in thread
From: Robin Murphy @ 2019-08-06 15:49 UTC (permalink / raw)
To: Joerg Roedel, Nicolin Chen; +Cc: iommu
Hi Joerg,
On 06/08/2019 16:25, Joerg Roedel wrote:
> Hi Robin,
>
> On Mon, Jul 29, 2019 at 05:46:00PM +0100, Robin Murphy wrote:
>> Since scatterlist dimensions are all unsigned ints, in the relatively
>> rare cases where a device's max_segment_size is set to UINT_MAX, then
>> the "cur_len + s_length <= max_len" check in __finalise_sg() will always
>> return true. As a result, the corner case of such a device mapping an
>> excessively large scatterlist which is mergeable to or beyond a total
>> length of 4GB can lead to overflow and a bogus truncated dma_length in
>> the resulting segment.
>>
>> As we already assume that any single segment must be no longer than
>> max_len to begin with, this can easily be addressed by reshuffling the
>> comparison.
>
> Has this been triggered in the wild of can this patch wait for the next
> merge window?
My impression was that it's possible to hit this via relatively funky,
but legitimate, use of dma-buf from userspace, however I don't know
off-hand how many drivers actually support creating and exporting such
crazy-large buffers in the first place.
Nicolin - is your use-case something that's easy to do with standard
software on stable kernels, or did it only come to light as part of a
"big stack of embedded magic" type thing?
Robin.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/dma: Handle SG length overflow better
2019-08-06 15:49 ` Robin Murphy
@ 2019-08-07 1:11 ` Nicolin Chen
2019-08-09 15:32 ` Joerg Roedel
0 siblings, 1 reply; 5+ messages in thread
From: Nicolin Chen @ 2019-08-07 1:11 UTC (permalink / raw)
To: Robin Murphy; +Cc: iommu
Hi Robin,
On Tue, Aug 06, 2019 at 04:49:01PM +0100, Robin Murphy wrote:
> Hi Joerg,
>
> On 06/08/2019 16:25, Joerg Roedel wrote:
> > Hi Robin,
> >
> > On Mon, Jul 29, 2019 at 05:46:00PM +0100, Robin Murphy wrote:
> > > Since scatterlist dimensions are all unsigned ints, in the relatively
> > > rare cases where a device's max_segment_size is set to UINT_MAX, then
> > > the "cur_len + s_length <= max_len" check in __finalise_sg() will always
> > > return true. As a result, the corner case of such a device mapping an
> > > excessively large scatterlist which is mergeable to or beyond a total
> > > length of 4GB can lead to overflow and a bogus truncated dma_length in
> > > the resulting segment.
> > >
> > > As we already assume that any single segment must be no longer than
> > > max_len to begin with, this can easily be addressed by reshuffling the
> > > comparison.
> >
> > Has this been triggered in the wild of can this patch wait for the next
> > merge window?
>
> My impression was that it's possible to hit this via relatively funky, but
> legitimate, use of dma-buf from userspace, however I don't know off-hand how
> many drivers actually support creating and exporting such crazy-large
> buffers in the first place.
>
> Nicolin - is your use-case something that's easy to do with standard
> software on stable kernels, or did it only come to light as part of a "big
> stack of embedded magic" type thing?
Well..it was triggered in our downstream test that's supposed to
cover large size (> 4G) corner case, so I don't feel it's "easy"
but our test case was running with 4.14 kernel so I also feel it
might be a good idea to Cc stable kernel even if we postpone the
patch during the merge window. I'll personally be fine with any
decision though -- if no one else cares that much, I'll backport
to our downstream 4.14 on my own.
As a reference, here is a partial list of mainline drivers that
were potentially affected, and are now secured by this change:
drivers/dma/dw-edma/dw-edma-core.c:745:
dma_set_max_seg_size(dma->dev, U32_MAX);
drivers/dma/dma-axi-dmac.c:871:
dma_set_max_seg_size(&pdev->dev, UINT_MAX);
drivers/mmc/host/renesas_sdhi_internal_dmac.c:338:
dma_set_max_seg_size(dev, 0xffffffff);
drivers/nvme/host/pci.c:2520:
dma_set_max_seg_size(dev->dev, 0xffffffff);
Above all, thanks for the fix.
Nicolin
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/dma: Handle SG length overflow better
2019-08-07 1:11 ` Nicolin Chen
@ 2019-08-09 15:32 ` Joerg Roedel
0 siblings, 0 replies; 5+ messages in thread
From: Joerg Roedel @ 2019-08-09 15:32 UTC (permalink / raw)
To: Nicolin Chen; +Cc: iommu, Robin Murphy
On Tue, Aug 06, 2019 at 06:11:51PM -0700, Nicolin Chen wrote:
> Well..it was triggered in our downstream test that's supposed to
> cover large size (> 4G) corner case, so I don't feel it's "easy"
> but our test case was running with 4.14 kernel so I also feel it
> might be a good idea to Cc stable kernel even if we postpone the
> patch during the merge window. I'll personally be fine with any
> decision though -- if no one else cares that much, I'll backport
> to our downstream 4.14 on my own.
Okay, decided to apply it for v5.3.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-08-09 15:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29 16:46 [PATCH] iommu/dma: Handle SG length overflow better Robin Murphy
2019-08-06 15:25 ` Joerg Roedel
2019-08-06 15:49 ` Robin Murphy
2019-08-07 1:11 ` Nicolin Chen
2019-08-09 15:32 ` Joerg Roedel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).