From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
To: Robin Murphy <robin.murphy@arm.com>
Cc: Christoph Hellwig <hch@lst.de>,
iommu@lists.linux-foundation.org,
linux-s390 <linux-s390@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Niklas Schnelle <schnelle@linux.ibm.com>
Subject: Re: [RFC PATCH 1/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg()
Date: Tue, 6 Jul 2021 21:12:07 +0200 [thread overview]
Message-ID: <20210706211207.48f15496@thinkpad> (raw)
In-Reply-To: <3bb87b4c-f646-20fe-7cc5-c7449432811e@arm.com>
On Tue, 6 Jul 2021 10:22:40 +0100
Robin Murphy <robin.murphy@arm.com> wrote:
> On 2021-07-05 19:52, Gerald Schaefer wrote:
> > The following warning occurred sporadically on s390:
> > DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072]
> > WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138
> >
> > It is a false-positive warning, due to a broken logic in debug_dma_map_sg().
> > check_for_illegal_area() should check for overlay of sg elements with kernel
> > text or rodata. It is called with sg_dma_len(s) instead of s->length as
> > parameter. After the call to ->map_sg(), sg_dma_len() contains the length
> > of possibly combined sg elements in the DMA address space, and not the
> > individual sg element length, which would be s->length.
> >
> > The check will then use the kernel start address of an sg element, and add
> > the DMA length for overlap check, which can result in the false-positive
> > warning because the DMA length can be larger than the actual single sg
> > element length in kernel address space.
> >
> > In addition, the call to check_for_illegal_area() happens in the iteration
> > over mapped_ents, which will not include all individual sg elements if
> > any of them were combined in ->map_sg().
> >
> > Fix this by using s->length instead of sg_dma_len(s). Also put the call to
> > check_for_illegal_area() in a separate loop, iterating over all the
> > individual sg elements ("nents" instead of "mapped_ents").
> >
> > Fixes: 884d05970bfb ("dma-debug: use sg_dma_len accessor")
> > Tested-by: Niklas Schnelle <schnelle@linux.ibm.com>
> > Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
> > ---
> > kernel/dma/debug.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
> > index 14de1271463f..d7d44b7fe7e2 100644
> > --- a/kernel/dma/debug.c
> > +++ b/kernel/dma/debug.c
> > @@ -1299,6 +1299,12 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg,
> > if (unlikely(dma_debug_disabled()))
> > return;
> >
> > + for_each_sg(sg, s, nents, i) {
> > + if (!PageHighMem(sg_page(s))) {
> > + check_for_illegal_area(dev, sg_virt(s), s->length);
> > + }
> > + }
> > +
> > for_each_sg(sg, s, mapped_ents, i) {
> > entry = dma_entry_alloc();
> > if (!entry)
> > @@ -1316,10 +1322,6 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg,
> >
> > check_for_stack(dev, sg_page(s), s->offset);
>
> Strictly this should probably be moved to the new loop as well, as it is
> similarly concerned with validating the source segments rather than the
> DMA mappings - I think with virtually-mapped stacks it might technically
> be possible for a stack page to be physically adjacent to a "valid" page
> such that it could get merged and overlooked if it were near the end of
> the list, although in fairness that would probably be indicative of
> something having gone far more fundamentally wrong. Otherwise, the
> overall reasoning looks sound to me.
I see, good point. I think I can add this to my patch, and a different
subject like "dma-debug: fix sg checks in debug_dma_map_sg()".
However, I do not quite understand why check_for_stack() does not also
consider s->length. It seems to check only the first page of an sg
element.
So, shouldn't check_for_stack() behave similar to check_for_illegal_area(),
i.e. check all source sg elements for overlap with the task stack area?
If yes, then this probably should be a separate patch, but I can try
to come up with something and send a new RFC with two patches. Maybe
check_for_stack() can also be integrated into check_for_illegal_area(),
they are both called at the same places. And mapping memory from the
stack also sounds rather illegal.
next prev parent reply other threads:[~2021-07-06 19:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-05 18:52 [RFC PATCH 0/1] dma-debug: fix check_for_illegal_area() in debug_dma_map_sg() Gerald Schaefer
2021-07-05 18:52 ` [RFC PATCH 1/1] " Gerald Schaefer
2021-07-06 9:22 ` Robin Murphy
2021-07-06 19:12 ` Gerald Schaefer [this message]
2021-07-07 11:47 ` Robin Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210706211207.48f15496@thinkpad \
--to=gerald.schaefer@linux.ibm.com \
--cc=hch@lst.de \
--cc=iommu@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=robin.murphy@arm.com \
--cc=schnelle@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).