From: Alex Williamson <alex.williamson@redhat.com>
To: Steven Sistare <steven.sistare@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
kbuild@lists.01.org, lkp@intel.com, kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>,
Cornelia Huck <cohuck@redhat.com>
Subject: Re: [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
Date: Tue, 23 Feb 2021 10:45:35 -0700 [thread overview]
Message-ID: <20210223104535.17986dee@omen.home.shazbot.org> (raw)
In-Reply-To: <de835b3f-8aef-2879-f637-97a24e810570@oracle.com>
On Tue, 23 Feb 2021 08:56:36 -0500
Steven Sistare <steven.sistare@oracle.com> wrote:
> On 2/22/2021 6:17 PM, Alex Williamson wrote:
> > On Mon, 22 Feb 2021 15:51:45 -0700
> > Alex Williamson <alex.williamson@redhat.com> wrote:
> >
> >> On Mon, 22 Feb 2021 17:10:43 +0300
> >> Dan Carpenter <dan.carpenter@oracle.com> wrote:
> >>
> >>> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
> >>> head: 37dfbfbdca66834bc0f64ec9b35e09ac6c8898da
> >>> commit: 0f53afa12baec8c00f5d1d6afb49325ada105253 [6931/12022] vfio/type1: unmap cleanup
> >>
> >> It's always the patches that claim no functional change... ;)
> >>
> >>> config: i386-randconfig-m021-20210222 (attached as .config)
> >>> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> >>>
> >>> If you fix the issue, kindly add following tag as appropriate
> >>> Reported-by: kernel test robot <lkp@intel.com>
> >>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> >>>
> >>> New smatch warnings:
> >>> drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
> >>>
> >>> vim +1093 drivers/vfio/vfio_iommu_type1.c
> >>>
> >>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1071 static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1072 struct vfio_iommu_type1_dma_unmap *unmap,
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1073 struct vfio_bitmap *bitmap)
> >>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1074 {
> >>> c086de818dd81c Kirti Wankhede 2016-11-17 1075 struct vfio_dma *dma, *dma_last = NULL;
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1076 size_t unmapped = 0, pgsize;
> >>> 0f53afa12baec8 Steve Sistare 2021-01-29 1077 int ret = -EINVAL, retries = 0;
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1078 unsigned long pgshift;
> >>> 0f53afa12baec8 Steve Sistare 2021-01-29 1079 dma_addr_t iova = unmap->iova;
> >>> 0f53afa12baec8 Steve Sistare 2021-01-29 1080 unsigned long size = unmap->size;
> >>> ^^^^^^^^^^^^^^^^^^
> >>>
> >>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1081
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1082 mutex_lock(&iommu->lock);
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1083
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1084 pgshift = __ffs(iommu->pgsize_bitmap);
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1085 pgsize = (size_t)1 << pgshift;
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1086
> >>> 0f53afa12baec8 Steve Sistare 2021-01-29 1087 if (iova & (pgsize - 1))
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1088 goto unlock;
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1089
> >>> 0f53afa12baec8 Steve Sistare 2021-01-29 1090 if (!size || size & (pgsize - 1))
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1091 goto unlock;
> >>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1092
> >>> 0f53afa12baec8 Steve Sistare 2021-01-29 @1093 if (iova + size - 1 < iova || size > SIZE_MAX)
> >>>
> >>> size is unsigned long and SIZE_MAX is ULONG_MAX so "size > SIZE_MAX"
> >>> does not make sense.
> >>
> >> I think it made sense before the above commit, where unmap->size is a
> >> __u64 and a user could provide a value that exceeds SIZE_MAX on ILP32.
> >> Seems like the fix is probably to use a size_t for the local variable
> >> and restore this test to compare (unmap->size > SIZE_MAX). Steve?
> >
> > Actually it seems like VFIO_DMA_UNMAP_FLAG_ALL doesn't work when
> > PHYS_ADDR_MAX != SIZE_MAX (ex. x86 PAE - I think).
>
> It seems like PAE causes problems even before VFIO_DMA_UNMAP_FLAG_ALL.
This wouldn't surprise me, I don't know of any actual non-64bit users
and pure 32bit support was only lightly validated ages ago.
> In the previous vfio_dma_do_unmap code, the u64 unmap->size would be
> truncated when passed to vfio_find_dma.
We would have failed with -EINVAL before we get there due to this
SIZE_MAX test. I think the existing (previous) PAE interface is at
least self consistent; I see the mapping path also attempts to check
that casting map->size as size_t still matches the original value.
> For unmap, these fixes should suffice, and I would rather do this than
> disable the unmap-all flag for a corner case:
>
> vfio_dma_do_unmap()
> size_t unmapped = 0;
> unsigned long size = unmap->size;
> ==>
> u64 unmapped = 0;
> u64 size = unmap->size;
>
> static struct rb_node *vfio_find_dma_first_node(
> struct vfio_iommu *iommu, dma_addr_t start, size_t size)
> ==>
> static struct rb_node *vfio_find_dma_first_node(
> struct vfio_iommu *iommu, dma_addr_t start, u64 size)
>
> And maybe use dma_addr_t instead of u64 in the above (which is 64 bits for
> CONFIG_X86_PAE).
>
> However, there are other places in the existing code that need tweaking
> to be safe for PAE, the vfio_find_dma() size arg for one.
Yes, it looks like the IOMMU aperture checking using vfio_find_dma()
could have issues where dma_addr_t > size_t. Do you want to propose a
patch? Thanks,
Alex
> > I can't say I'm
> > really interested in adding complexity to make it work in such a case
> > either. Maybe we can just not expose it, ex:
> >
> > diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> > index ed03f3fcb07e..6b69a74b3db0 100644
> > --- a/drivers/vfio/vfio_iommu_type1.c
> > +++ b/drivers/vfio/vfio_iommu_type1.c
> > @@ -1207,7 +1207,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> > int ret = -EINVAL, retries = 0;
> > unsigned long pgshift;
> > dma_addr_t iova = unmap->iova;
> > - unsigned long size = unmap->size;
> > + size_t size = unmap->size;
> > bool unmap_all = unmap->flags & VFIO_DMA_UNMAP_FLAG_ALL;
> > bool invalidate_vaddr = unmap->flags & VFIO_DMA_UNMAP_FLAG_VADDR;
> > struct rb_node *n, *first_n;
> > @@ -1228,7 +1228,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> > goto unlock;
> > }
> >
> > - if (iova + size - 1 < iova || size > SIZE_MAX)
> > + if (iova + size - 1 < iova || unmap->size > SIZE_MAX)
> > goto unlock;
> >
> > /* When dirty tracking is enabled, allow only min supported pgsize */
> > @@ -2657,9 +2657,10 @@ static int vfio_iommu_type1_check_extension(struct vfio_iommu *iommu,
> > case VFIO_TYPE1_IOMMU:
> > case VFIO_TYPE1v2_IOMMU:
> > case VFIO_TYPE1_NESTING_IOMMU:
> > - case VFIO_UNMAP_ALL:
> > case VFIO_UPDATE_VADDR:
> > return 1;
> > + case VFIO_UNMAP_ALL:
> > + return PHYS_ADDR_MAX == SIZE_MAX ? 1 : 0;
> > case VFIO_DMA_CC_IOMMU:
> > if (!iommu)
> > return 0;
> > @@ -2868,6 +2869,10 @@ static int vfio_iommu_type1_unmap_dma(struct vfio_iommu *iommu,
> > VFIO_DMA_UNMAP_FLAG_VADDR)))
> > return -EINVAL;
> >
> > + if ((PHYS_ADDR_MAX != SIZE_MAX) &&
> > + (unmap.flags & VFIO_DMA_UNMAP_FLAG_ALL))
> > + return -EINVAL;
> > +
> > if (unmap.flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) {
> > unsigned long pgshift;
> >
> >
> >
> >
> >
> >>> Is the " - 1" intentional on the other overflow check? As in it's okay
> >>> to wrap around to zero but not further than that? Sometimes this is
> >>> intentional but it requires more subsystem expertise than I possess.
> >>
> >> Yes, since we're dealing with a start + length we need to account for
> >> the -1 in the end value, otherwise the user could never unmap the last
> >> page of the address space. Thanks for the report!
> >>
> >> Alex
> >>
> >>> cade075f265b25 Kirti Wankhede 2020-05-29 1094 goto unlock;
> >>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1095
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1096 /* When dirty tracking is enabled, allow only min supported pgsize */
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1097 if ((unmap->flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) &&
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1098 (!iommu->dirty_page_tracking || (bitmap->pgsize != pgsize))) {
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1099 goto unlock;
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1100 }
> >>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1101
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1102 WARN_ON((pgsize - 1) & PAGE_MASK);
> >>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1103 again:
> >>> 1ef3e2bc04223f Alex Williamson 2014-02-26 1104 /*
> >>>
> >>> ---
> >>> 0-DAY CI Kernel Test Service, Intel Corporation
> >>> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
> >>
> >
>
next prev parent reply other threads:[~2021-02-23 17:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 14:10 [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)' Dan Carpenter
2021-02-22 22:51 ` Alex Williamson
2021-02-22 23:17 ` Alex Williamson
2021-02-23 13:56 ` Steven Sistare
2021-02-23 17:45 ` Alex Williamson [this message]
2021-02-23 20:37 ` Steven Sistare
2021-02-23 21:10 ` Alex Williamson
2021-02-23 21:52 ` Steven Sistare
2021-02-23 23:58 ` Steven Sistare
2021-02-24 22:55 ` Alex Williamson
2021-02-25 15:25 ` Steven Sistare
2021-02-25 18:00 ` Alex Williamson
2021-02-25 18:52 ` Steven Sistare
2021-02-25 19:12 ` Alex Williamson
2021-02-23 13:20 ` Steven Sistare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210223104535.17986dee@omen.home.shazbot.org \
--to=alex.williamson@redhat.com \
--cc=cohuck@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=steven.sistare@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).