Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1258665ybk; Thu, 14 May 2020 04:39:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQBmqRAvDMv7y2I1iTGZ3t5Mh45f8mkHrDTOhD3XJ+xqZ0IB56xnWKOvl1rnoBj4HRE+6W X-Received: by 2002:a05:6402:3076:: with SMTP id bs22mr3747331edb.112.1589456393199; Thu, 14 May 2020 04:39:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589456393; cv=none; d=google.com; s=arc-20160816; b=yNR2+1kXY7l01K8NifGu06qz6bC/Fqm8KVbITzjXqWh2BE4eIlHJyCaQDPCgMuFS+W 0NcjqkVJwwEFJBBK6IRNUnRopiw9srAo2Hgwxkfgjzawilik5qfnZgLzvZRCgPsUxcs3 30lPzItzFOqeM/MPaYRrqVJ8rztze2GJoG5kgFpycDcKiGWCvEt7p6ISN/uENx522/AH 27yE3qqcXBdZfoRbloepubTAlUcT7LjoIJcdVXGogG/k4ixvUKaRtGvW5kqctilKTPQw ki1ZGeEHrO1GE1qJyryHoq7NaHZKyh8zHEDUx8a+3cLMRDsMT0YuiPn9qGwlwXAtPjFf hVfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=6lUknq1orCgk7u86hApiuS1No1LjqzD4bwveXp4td3c=; b=aNvMSzYC1z1iMFa8qnJbf6wCn9u1ZE4zY1IEpVvktmwpa3opQkf4sD8CSpoDMSQ/Do 79+it9bFmTO3a17TvuhbSAbsmEP+1bLYIRePzZ8d+qx8JGb9CG/gesT78ER98w6lrCUs wei2w59r6W93lmdVVMdqFjuTHFsVEM/IupFnYE38WdEifceAyJTYA7HPnWmfn+NxNS2/ fps4wky0vpZMIhz5R6Ku3qmA/L30jWddw2FhwbDBx/T4FbY1XQHLW+WQjs09WSVtw11p qdmr97S0kKYY7JmxsuIRDzfwLmi3lGO1uksYvrX3lbEDnjKvpx5Ru04adnYUujM9VwMn 7SqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r23si1603575edl.531.2020.05.14.04.39.30; Thu, 14 May 2020 04:39:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726345AbgENLh1 (ORCPT + 99 others); Thu, 14 May 2020 07:37:27 -0400 Received: from foss.arm.com ([217.140.110.172]:34772 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726190AbgENLh1 (ORCPT ); Thu, 14 May 2020 07:37:27 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7633530E; Thu, 14 May 2020 04:37:26 -0700 (PDT) Received: from [192.168.122.166] (unknown [10.119.48.101]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1AD693F305; Thu, 14 May 2020 04:37:26 -0700 (PDT) Subject: Re: [PATCH] USB: usbfs: fix mmap dma mismatch To: Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Christoph Hellwig , Hillf Danton , Thomas Gleixner , syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com, stable References: <20200514112711.1858252-1-gregkh@linuxfoundation.org> From: Jeremy Linton Message-ID: <9cc0a324-c3d8-44f4-4e65-b6938ab8cb06@arm.com> Date: Thu, 14 May 2020 06:37:25 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20200514112711.1858252-1-gregkh@linuxfoundation.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, So looking at hcd_buffer_alloc() again, there are 4 cases, localmem_pool, hcd_uses_dma, dma_pool_alloc and dma_alloc_coherent directly. The dma_pool_alloc appears to just be using dma_alloc_coherent, so its really three cases. Those three cases appear to be handled below: So: Reviewed-by: Jeremy Linton I'm testing it now... Thanks, On 5/14/20 6:27 AM, Greg Kroah-Hartman wrote: > In commit 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute > mismatch") we switched from always calling remap_pfn_range() to call > dma_mmap_coherent() to handle issues with systems with non-coherent USB host > controller drivers. Unfortunatly, as syzbot quickly told us, not all the world > is host controllers with DMA support, so we need to check what host controller > we are attempting to talk to before doing this type of allocation. > > Thanks to Christoph for the quick idea of how to fix this. > > Cc: Christoph Hellwig > Cc: Hillf Danton > Cc: Thomas Gleixner > Cc: Jeremy Linton > Reported-by: syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com > Fixes: 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch") > Cc: stable > Signed-off-by: Greg Kroah-Hartman > --- > drivers/usb/core/devio.c | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c > index b9db9812d6c5..d93d94d7ff50 100644 > --- a/drivers/usb/core/devio.c > +++ b/drivers/usb/core/devio.c > @@ -251,9 +251,19 @@ static int usbdev_mmap(struct file *file, struct vm_area_struct *vma) > usbm->vma_use_count = 1; > INIT_LIST_HEAD(&usbm->memlist); > > - if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, size)) { > - dec_usb_memory_use_count(usbm, &usbm->vma_use_count); > - return -EAGAIN; > + if (hcd->localmem_pool || !hcd_uses_dma(hcd)) { > + if (remap_pfn_range(vma, vma->vm_start, > + virt_to_phys(usbm->mem) >> PAGE_SHIFT, > + size, vma->vm_page_prot) < 0) { > + dec_usb_memory_use_count(usbm, &usbm->vma_use_count); > + return -EAGAIN; > + } > + } else { > + if (dma_mmap_coherent(hcd->self.sysdev, vma, mem, dma_handle, > + size)) { > + dec_usb_memory_use_count(usbm, &usbm->vma_use_count); > + return -EAGAIN; > + } > } > > vma->vm_flags |= VM_IO; >