Unlike the other instances which represent a complete loss of
consistency within the rcache mechanism itself, or a fundamental
and obvious misconfiguration by an IOMMU driver, the BUG_ON() in
iova_magazine_free_pfns() can be provoked at more or less any time
in a "spooky action-at-a-distance" manner by any old device driver
passing nonsense to dma_unmap_*() which then propagates through to
queue_iova().
Not only is this well outside the IOVA layer's control, it's also
nowhere near fatal enough to justify panicking anyway - all that
really achieves is to make debugging the offending driver more
difficult. Let's simply WARN and otherwise ignore bogus PFNs.
Reported-by: Prakash Gupta <[email protected]>
Signed-off-by: Robin Murphy <[email protected]>
---
drivers/iommu/iova.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
index 0e6a9536eca6..612cbf668adf 100644
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -811,7 +811,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag, struct iova_domain *iovad)
for (i = 0 ; i < mag->size; ++i) {
struct iova *iova = private_find_iova(iovad, mag->pfns[i]);
- BUG_ON(!iova);
+ if (WARN_ON(!iova))
+ continue;
+
private_free_iova(iovad, iova);
}
--
2.23.0.dirty
On 2020-06-02 18:38, Robin Murphy wrote:
> Unlike the other instances which represent a complete loss of
> consistency within the rcache mechanism itself, or a fundamental
> and obvious misconfiguration by an IOMMU driver, the BUG_ON() in
> iova_magazine_free_pfns() can be provoked at more or less any time
> in a "spooky action-at-a-distance" manner by any old device driver
> passing nonsense to dma_unmap_*() which then propagates through to
> queue_iova().
>
> Not only is this well outside the IOVA layer's control, it's also
> nowhere near fatal enough to justify panicking anyway - all that
> really achieves is to make debugging the offending driver more
> difficult. Let's simply WARN and otherwise ignore bogus PFNs.
>
> Reported-by: Prakash Gupta <[email protected]>
> Signed-off-by: Robin Murphy <[email protected]>
> ---
> drivers/iommu/iova.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
Copying [email protected]
You can add
Reviewed-by: Prakash Gupta <[email protected]>
> diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
> index 0e6a9536eca6..612cbf668adf 100644
> --- a/drivers/iommu/iova.c
> +++ b/drivers/iommu/iova.c
> @@ -811,7 +811,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag,
> struct iova_domain *iovad)
> for (i = 0 ; i < mag->size; ++i) {
> struct iova *iova = private_find_iova(iovad, mag->pfns[i]);
>
> - BUG_ON(!iova);
> + if (WARN_ON(!iova))
> + continue;
> +
> private_free_iova(iovad, iova);
> }
On 2020-06-10 10:27, [email protected] wrote:
> On 2020-06-02 18:38, Robin Murphy wrote:
>> Unlike the other instances which represent a complete loss of
>> consistency within the rcache mechanism itself, or a fundamental
>> and obvious misconfiguration by an IOMMU driver, the BUG_ON() in
>> iova_magazine_free_pfns() can be provoked at more or less any time
>> in a "spooky action-at-a-distance" manner by any old device driver
>> passing nonsense to dma_unmap_*() which then propagates through to
>> queue_iova().
>>
>> Not only is this well outside the IOVA layer's control, it's also
>> nowhere near fatal enough to justify panicking anyway - all that
>> really achieves is to make debugging the offending driver more
>> difficult. Let's simply WARN and otherwise ignore bogus PFNs.
>>
>> Reported-by: Prakash Gupta <[email protected]>
>> Signed-off-by: Robin Murphy <[email protected]>
>> ---
>> drivers/iommu/iova.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>
> Copying [email protected]
Per Documentation/process/stable-kernel-rules.rst, I'm not convinced
this meets the criteria for stable, which is why I deliberately left
that out. This change isn't fixing any bug in itself, it is merely
relaxing a behaviour that only comes into play if a serious and
effectively unrecoverable bug has already occurred elsewhere.
If Joerg feels like sending it to stable anyway then fair enough, but
FYI there is no relevant "Fixes" tag.
> You can add
> Reviewed-by: Prakash Gupta <[email protected]>
Thanks,
Robin.
>> diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
>> index 0e6a9536eca6..612cbf668adf 100644
>> --- a/drivers/iommu/iova.c
>> +++ b/drivers/iommu/iova.c
>> @@ -811,7 +811,9 @@ iova_magazine_free_pfns(struct iova_magazine *mag,
>> struct iova_domain *iovad)
>> for (i = 0 ; i < mag->size; ++i) {
>> struct iova *iova = private_find_iova(iovad, mag->pfns[i]);
>>
>> - BUG_ON(!iova);
>> + if (WARN_ON(!iova))
>> + continue;
>> +
>> private_free_iova(iovad, iova);
>> }
On Tue, Jun 02, 2020 at 02:08:18PM +0100, Robin Murphy wrote:
> Unlike the other instances which represent a complete loss of
> consistency within the rcache mechanism itself, or a fundamental
> and obvious misconfiguration by an IOMMU driver, the BUG_ON() in
> iova_magazine_free_pfns() can be provoked at more or less any time
> in a "spooky action-at-a-distance" manner by any old device driver
> passing nonsense to dma_unmap_*() which then propagates through to
> queue_iova().
>
> Not only is this well outside the IOVA layer's control, it's also
> nowhere near fatal enough to justify panicking anyway - all that
> really achieves is to make debugging the offending driver more
> difficult. Let's simply WARN and otherwise ignore bogus PFNs.
>
> Reported-by: Prakash Gupta <[email protected]>
> Signed-off-by: Robin Murphy <[email protected]>
> ---
> drivers/iommu/iova.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Applied without stable tag, thanks.