* [RFC PATCH 0/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() @ 2021-07-05 18:52 Gerald Schaefer 2021-07-05 18:52 ` [RFC PATCH 1/1] " Gerald Schaefer 0 siblings, 1 reply; 5+ messages in thread From: Gerald Schaefer @ 2021-07-05 18:52 UTC (permalink / raw) To: Christoph Hellwig, iommu; +Cc: LKML, linux-s390, Niklas Schnelle The following warning occurred sporadically on s390: DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072] WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138 It is a false-positive warning, due to a broken logic in debug_dma_map_sg(), see patch description. In short, the check is mixing up kernel start address for sg elements with the length of possibly combined sg elements in the DMA address space. I am a bit confused by the whole logic, and not sure what would be the best way to fix this. The false-postives should have been possible since commit 884d05970bfb ("dma-debug: use sg_dma_len accessor"), which is included since 2.6.31. Also, it seems to me that even before that commit, the check would have been wrong, or at least incomplete, because it is located in a loop that iterates over mapped_ents instead of nents. So it would not check all physical sg elements if any were combined in DMA address space. Gerald Schaefer (1): dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() kernel/dma/debug.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [RFC PATCH 1/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() 2021-07-05 18:52 [RFC PATCH 0/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() Gerald Schaefer @ 2021-07-05 18:52 ` Gerald Schaefer 2021-07-06 9:22 ` Robin Murphy 0 siblings, 1 reply; 5+ messages in thread From: Gerald Schaefer @ 2021-07-05 18:52 UTC (permalink / raw) To: Christoph Hellwig, iommu; +Cc: LKML, linux-s390, Niklas Schnelle The following warning occurred sporadically on s390: DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072] WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138 It is a false-positive warning, due to a broken logic in debug_dma_map_sg(). check_for_illegal_area() should check for overlay of sg elements with kernel text or rodata. It is called with sg_dma_len(s) instead of s->length as parameter. After the call to ->map_sg(), sg_dma_len() contains the length of possibly combined sg elements in the DMA address space, and not the individual sg element length, which would be s->length. The check will then use the kernel start address of an sg element, and add the DMA length for overlap check, which can result in the false-positive warning because the DMA length can be larger than the actual single sg element length in kernel address space. In addition, the call to check_for_illegal_area() happens in the iteration over mapped_ents, which will not include all individual sg elements if any of them were combined in ->map_sg(). Fix this by using s->length instead of sg_dma_len(s). Also put the call to check_for_illegal_area() in a separate loop, iterating over all the individual sg elements ("nents" instead of "mapped_ents"). Fixes: 884d05970bfb ("dma-debug: use sg_dma_len accessor") Tested-by: Niklas Schnelle <schnelle@linux.ibm.com> Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> --- kernel/dma/debug.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c index 14de1271463f..d7d44b7fe7e2 100644 --- a/kernel/dma/debug.c +++ b/kernel/dma/debug.c @@ -1299,6 +1299,12 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, if (unlikely(dma_debug_disabled())) return; + for_each_sg(sg, s, nents, i) { + if (!PageHighMem(sg_page(s))) { + check_for_illegal_area(dev, sg_virt(s), s->length); + } + } + for_each_sg(sg, s, mapped_ents, i) { entry = dma_entry_alloc(); if (!entry) @@ -1316,10 +1322,6 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, check_for_stack(dev, sg_page(s), s->offset); - if (!PageHighMem(sg_page(s))) { - check_for_illegal_area(dev, sg_virt(s), sg_dma_len(s)); - } - check_sg_segment(dev, s); add_dma_entry(entry); -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [RFC PATCH 1/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() 2021-07-05 18:52 ` [RFC PATCH 1/1] " Gerald Schaefer @ 2021-07-06 9:22 ` Robin Murphy 2021-07-06 19:12 ` Gerald Schaefer 0 siblings, 1 reply; 5+ messages in thread From: Robin Murphy @ 2021-07-06 9:22 UTC (permalink / raw) To: Gerald Schaefer, Christoph Hellwig, iommu Cc: linux-s390, LKML, Niklas Schnelle On 2021-07-05 19:52, Gerald Schaefer wrote: > The following warning occurred sporadically on s390: > DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072] > WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138 > > It is a false-positive warning, due to a broken logic in debug_dma_map_sg(). > check_for_illegal_area() should check for overlay of sg elements with kernel > text or rodata. It is called with sg_dma_len(s) instead of s->length as > parameter. After the call to ->map_sg(), sg_dma_len() contains the length > of possibly combined sg elements in the DMA address space, and not the > individual sg element length, which would be s->length. > > The check will then use the kernel start address of an sg element, and add > the DMA length for overlap check, which can result in the false-positive > warning because the DMA length can be larger than the actual single sg > element length in kernel address space. > > In addition, the call to check_for_illegal_area() happens in the iteration > over mapped_ents, which will not include all individual sg elements if > any of them were combined in ->map_sg(). > > Fix this by using s->length instead of sg_dma_len(s). Also put the call to > check_for_illegal_area() in a separate loop, iterating over all the > individual sg elements ("nents" instead of "mapped_ents"). > > Fixes: 884d05970bfb ("dma-debug: use sg_dma_len accessor") > Tested-by: Niklas Schnelle <schnelle@linux.ibm.com> > Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> > --- > kernel/dma/debug.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > > diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c > index 14de1271463f..d7d44b7fe7e2 100644 > --- a/kernel/dma/debug.c > +++ b/kernel/dma/debug.c > @@ -1299,6 +1299,12 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, > if (unlikely(dma_debug_disabled())) > return; > > + for_each_sg(sg, s, nents, i) { > + if (!PageHighMem(sg_page(s))) { > + check_for_illegal_area(dev, sg_virt(s), s->length); > + } > + } > + > for_each_sg(sg, s, mapped_ents, i) { > entry = dma_entry_alloc(); > if (!entry) > @@ -1316,10 +1322,6 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, > > check_for_stack(dev, sg_page(s), s->offset); Strictly this should probably be moved to the new loop as well, as it is similarly concerned with validating the source segments rather than the DMA mappings - I think with virtually-mapped stacks it might technically be possible for a stack page to be physically adjacent to a "valid" page such that it could get merged and overlooked if it were near the end of the list, although in fairness that would probably be indicative of something having gone far more fundamentally wrong. Otherwise, the overall reasoning looks sound to me. Robin. > > - if (!PageHighMem(sg_page(s))) { > - check_for_illegal_area(dev, sg_virt(s), sg_dma_len(s)); > - } > - > check_sg_segment(dev, s); > > add_dma_entry(entry); > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC PATCH 1/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() 2021-07-06 9:22 ` Robin Murphy @ 2021-07-06 19:12 ` Gerald Schaefer 2021-07-07 11:47 ` Robin Murphy 0 siblings, 1 reply; 5+ messages in thread From: Gerald Schaefer @ 2021-07-06 19:12 UTC (permalink / raw) To: Robin Murphy; +Cc: Christoph Hellwig, iommu, linux-s390, LKML, Niklas Schnelle On Tue, 6 Jul 2021 10:22:40 +0100 Robin Murphy <robin.murphy@arm.com> wrote: > On 2021-07-05 19:52, Gerald Schaefer wrote: > > The following warning occurred sporadically on s390: > > DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072] > > WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138 > > > > It is a false-positive warning, due to a broken logic in debug_dma_map_sg(). > > check_for_illegal_area() should check for overlay of sg elements with kernel > > text or rodata. It is called with sg_dma_len(s) instead of s->length as > > parameter. After the call to ->map_sg(), sg_dma_len() contains the length > > of possibly combined sg elements in the DMA address space, and not the > > individual sg element length, which would be s->length. > > > > The check will then use the kernel start address of an sg element, and add > > the DMA length for overlap check, which can result in the false-positive > > warning because the DMA length can be larger than the actual single sg > > element length in kernel address space. > > > > In addition, the call to check_for_illegal_area() happens in the iteration > > over mapped_ents, which will not include all individual sg elements if > > any of them were combined in ->map_sg(). > > > > Fix this by using s->length instead of sg_dma_len(s). Also put the call to > > check_for_illegal_area() in a separate loop, iterating over all the > > individual sg elements ("nents" instead of "mapped_ents"). > > > > Fixes: 884d05970bfb ("dma-debug: use sg_dma_len accessor") > > Tested-by: Niklas Schnelle <schnelle@linux.ibm.com> > > Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> > > --- > > kernel/dma/debug.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c > > index 14de1271463f..d7d44b7fe7e2 100644 > > --- a/kernel/dma/debug.c > > +++ b/kernel/dma/debug.c > > @@ -1299,6 +1299,12 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, > > if (unlikely(dma_debug_disabled())) > > return; > > > > + for_each_sg(sg, s, nents, i) { > > + if (!PageHighMem(sg_page(s))) { > > + check_for_illegal_area(dev, sg_virt(s), s->length); > > + } > > + } > > + > > for_each_sg(sg, s, mapped_ents, i) { > > entry = dma_entry_alloc(); > > if (!entry) > > @@ -1316,10 +1322,6 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, > > > > check_for_stack(dev, sg_page(s), s->offset); > > Strictly this should probably be moved to the new loop as well, as it is > similarly concerned with validating the source segments rather than the > DMA mappings - I think with virtually-mapped stacks it might technically > be possible for a stack page to be physically adjacent to a "valid" page > such that it could get merged and overlooked if it were near the end of > the list, although in fairness that would probably be indicative of > something having gone far more fundamentally wrong. Otherwise, the > overall reasoning looks sound to me. I see, good point. I think I can add this to my patch, and a different subject like "dma-debug: fix sg checks in debug_dma_map_sg()". However, I do not quite understand why check_for_stack() does not also consider s->length. It seems to check only the first page of an sg element. So, shouldn't check_for_stack() behave similar to check_for_illegal_area(), i.e. check all source sg elements for overlap with the task stack area? If yes, then this probably should be a separate patch, but I can try to come up with something and send a new RFC with two patches. Maybe check_for_stack() can also be integrated into check_for_illegal_area(), they are both called at the same places. And mapping memory from the stack also sounds rather illegal. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [RFC PATCH 1/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() 2021-07-06 19:12 ` Gerald Schaefer @ 2021-07-07 11:47 ` Robin Murphy 0 siblings, 0 replies; 5+ messages in thread From: Robin Murphy @ 2021-07-07 11:47 UTC (permalink / raw) To: Gerald Schaefer Cc: Christoph Hellwig, iommu, linux-s390, LKML, Niklas Schnelle On 2021-07-06 20:12, Gerald Schaefer wrote: > On Tue, 6 Jul 2021 10:22:40 +0100 > Robin Murphy <robin.murphy@arm.com> wrote: > >> On 2021-07-05 19:52, Gerald Schaefer wrote: >>> The following warning occurred sporadically on s390: >>> DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072] >>> WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138 >>> >>> It is a false-positive warning, due to a broken logic in debug_dma_map_sg(). >>> check_for_illegal_area() should check for overlay of sg elements with kernel >>> text or rodata. It is called with sg_dma_len(s) instead of s->length as >>> parameter. After the call to ->map_sg(), sg_dma_len() contains the length >>> of possibly combined sg elements in the DMA address space, and not the >>> individual sg element length, which would be s->length. >>> >>> The check will then use the kernel start address of an sg element, and add >>> the DMA length for overlap check, which can result in the false-positive >>> warning because the DMA length can be larger than the actual single sg >>> element length in kernel address space. >>> >>> In addition, the call to check_for_illegal_area() happens in the iteration >>> over mapped_ents, which will not include all individual sg elements if >>> any of them were combined in ->map_sg(). >>> >>> Fix this by using s->length instead of sg_dma_len(s). Also put the call to >>> check_for_illegal_area() in a separate loop, iterating over all the >>> individual sg elements ("nents" instead of "mapped_ents"). >>> >>> Fixes: 884d05970bfb ("dma-debug: use sg_dma_len accessor") >>> Tested-by: Niklas Schnelle <schnelle@linux.ibm.com> >>> Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> >>> --- >>> kernel/dma/debug.c | 10 ++++++---- >>> 1 file changed, 6 insertions(+), 4 deletions(-) >>> >>> diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c >>> index 14de1271463f..d7d44b7fe7e2 100644 >>> --- a/kernel/dma/debug.c >>> +++ b/kernel/dma/debug.c >>> @@ -1299,6 +1299,12 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, >>> if (unlikely(dma_debug_disabled())) >>> return; >>> >>> + for_each_sg(sg, s, nents, i) { >>> + if (!PageHighMem(sg_page(s))) { >>> + check_for_illegal_area(dev, sg_virt(s), s->length); >>> + } >>> + } >>> + >>> for_each_sg(sg, s, mapped_ents, i) { >>> entry = dma_entry_alloc(); >>> if (!entry) >>> @@ -1316,10 +1322,6 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg, >>> >>> check_for_stack(dev, sg_page(s), s->offset); >> >> Strictly this should probably be moved to the new loop as well, as it is >> similarly concerned with validating the source segments rather than the >> DMA mappings - I think with virtually-mapped stacks it might technically >> be possible for a stack page to be physically adjacent to a "valid" page >> such that it could get merged and overlooked if it were near the end of >> the list, although in fairness that would probably be indicative of >> something having gone far more fundamentally wrong. Otherwise, the >> overall reasoning looks sound to me. > > I see, good point. I think I can add this to my patch, and a different > subject like "dma-debug: fix sg checks in debug_dma_map_sg()". TBH it's more of a conceptual cleanliness thing than a significant practical concern, but if we *are* breaking out a separate "validate the source elements" step then it does seem logical to capture everything relevant at once. > However, I do not quite understand why check_for_stack() does not also > consider s->length. It seems to check only the first page of an sg > element. > > So, shouldn't check_for_stack() behave similar to check_for_illegal_area(), > i.e. check all source sg elements for overlap with the task stack area? Realistically, creating a scatterlist segment pointing to the stack at all would already be quite an audacious feat of brokenness, but getting a random stack page in the middle of a segment would seem to imply something having gone so catastrophically wrong that it's destined to end very badly whether or not dma-debug squawks about it - not to mention getting lucky enough for said random stack page to actually belong to the current task stack in the first place :) Robin. > If yes, then this probably should be a separate patch, but I can try > to come up with something and send a new RFC with two patches. Maybe > check_for_stack() can also be integrated into check_for_illegal_area(), > they are both called at the same places. And mapping memory from the > stack also sounds rather illegal. > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-07-07 11:47 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-05 18:52 [RFC PATCH 0/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() Gerald Schaefer 2021-07-05 18:52 ` [RFC PATCH 1/1] " Gerald Schaefer 2021-07-06 9:22 ` Robin Murphy 2021-07-06 19:12 ` Gerald Schaefer 2021-07-07 11:47 ` Robin Murphy
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).