archive mirror
 help / color / mirror / Atom feed
From: Thomas Gleixner <>
To: Corentin Labbe <>
	Jens Axboe <>,,
	Andrew Morton <>,Julia Lawall
Subject: Re: crypto: sun4i-ss: error with kmap
Date: Sat, 05 Dec 2020 20:48:15 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <20201205184334.GA8034@Red>


On Sat, Dec 05 2020 at 19:43, Corentin Labbe wrote:
> On Fri, Dec 04, 2020 at 09:58:21PM +0100, Thomas Gleixner wrote:
>> Can you please replace the debug patch with the one below and try again?
>> That stops the trace right on the condition.
> Hello, the result could be found at

Thanks for providing this. This is clearly showing where stuff goes
wrong. It starts here at 729.550001. I removed the uninteresting parts:

0d..2 147103293us : __kmap_local_page_prot <-sg_miter_next
0d..3 147103308us :__kmap_local_pfn_prot: kmap_local_pfn: 1 ffefd000

0d..3 147103311us : __kmap_local_page_prot <-sg_miter_next
0d..4 147103325us : __kmap_local_pfn_prot: kmap_local_pfn: 3 ffefb000

0d..3 147103429us : kunmap_local_indexed <-sg_miter_stop
0d..4 147103433us : kunmap_local_indexed: kunmap_local: 3 ffefd000

So this maps two pages and unmaps the first one. That's all called from
sun4i_ss_opti_poll() and the bug is clearly visible there:



Written by yourself :) Same issue in sun4i_ss_cipher_poll()

Fix below.

Julia, it might be worth to have a coccinelle check for that. It's the
only place which got it wrong, but this goes unnoticed when code is
e.g. only fully tested on 64bit or as in this case never tested with
full debugging enabled. The whole kmap_atomic and kmap_local (new in
next) family and all users like the sg_miter stuff are affected by this.


Subject: crypto: sun4i-ss - Fix sg_miter_stop() ordering
From: Thomas Gleixner <>
Date: Sat, 05 Dec 2020 20:17:28 +0100

sun4i_ss_opti_poll() and sun4i_ss_cipher_poll() do:


which is the wrong order because sg_miter_next() maps a page with
kmap_atomic() and sg_miter_stop() unmaps it. kmap_atomic() uses a stack
internaly which requires that the nested map is unmapped first. As this
uses the wrong order it triggers the warning in kunmap_local_indexed()
which checks the to be unmapped address and subsequently crashes.

This went unnoticed for 5 years because the ARM kmap_atomic()
implementation had the warning conditional on CONFIG_DEBUG_HIGHMEM which
was obviously never enabled when testing that driver.

Flip the order to cure it.

Reported-by: Corentin Labbe <>
Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
Signed-off-by: Thomas Gleixner <>
 drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c
@@ -109,8 +109,8 @@ static int noinline_for_stack sun4i_ss_o
-	sg_miter_stop(&mi);
+	sg_miter_stop(&mi);
 	writel(0, ss->base + SS_CTL);
 	spin_unlock_irqrestore(&ss->slock, flags);
 	return err;
@@ -333,8 +333,8 @@ static int sun4i_ss_cipher_poll(struct s
-	sg_miter_stop(&mi);
+	sg_miter_stop(&mi);
 	writel(0, ss->base + SS_CTL);
 	spin_unlock_irqrestore(&ss->slock, flags);

  reply	other threads:[~2020-12-05 19:48 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20201201130102.GA23461@Red>
     [not found] ` <>
     [not found]   ` <20201201135252.GA9584@Red>
     [not found]     ` <>
     [not found]       ` <20201201144529.GA6786@Red>
     [not found]         ` <>
     [not found]           ` <20201202195501.GA29296@Red>
     [not found]             ` <>
     [not found]               ` <20201203173846.GA16207@Red>
2020-12-03 23:34                 ` crypto: sun4i-ss: error with kmap Thomas Gleixner
2020-12-04 13:26                   ` Corentin Labbe
2020-12-04 15:08                     ` Thomas Gleixner
2020-12-04 19:27                       ` Corentin Labbe
2020-12-04 20:58                         ` Thomas Gleixner
2020-12-05 18:43                           ` Corentin Labbe
2020-12-05 19:48                             ` Thomas Gleixner [this message]
2020-12-05 20:16                               ` Julia Lawall
2020-12-06 21:40                               ` Corentin Labbe
2020-12-07  0:15                                 ` Thomas Gleixner
2020-12-07 12:18                                   ` Corentin Labbe
2020-12-07 15:53                                     ` Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).