Received: by 2002:a25:1104:0:0:0:0:0 with SMTP id 4csp23115ybr; Thu, 21 May 2020 23:28:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwiyPBHO9e8Hz+TzCt12ZyVH20N7/S300xSr8upjTiwJ5Ki9eLpWnLHBMozMLiLSPXJK+yd X-Received: by 2002:a17:906:e211:: with SMTP id gf17mr6723817ejb.495.1590128880879; Thu, 21 May 2020 23:28:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590128880; cv=none; d=google.com; s=arc-20160816; b=v9trv8Xb6GN9Gir8RFLbRkzZFianzUdZA7GlZbCitMnprRibW6Jysl0DgFmwTezxZM cWPXdWnZPKqs9L2NrmP0M22RD3Qr3jdHLSQh6l9zCSydfsPaS6z05lpkCrzibjSPq2H8 z97YkwGbcSOflT+M2K3BxCgmVGiFVUIDfunW/aKRCjCoU20ohVyKA4XTjmt/o1TogCdK BXpN888a4ImPMOWIlLid39BrMNnzQg09GsPEXzgKbfxlY7gKmOZhnNH7C9zwYvHyc5HF Vfwpoi6AmdHmi/R+V62IQg2Cyzkd3JYOaykgieELoPUhofXXQAHwf4I4E3F/hikB0tah r5Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:message-id:references :in-reply-to:subject:cc:to:from:date:content-transfer-encoding :mime-version:dkim-signature; bh=H359ESmKnUtSY7Q0hAO68B/54fVOQ0qzAvK2WHo9oz8=; b=rO0ZGpapPgI/2pb4UckHbZHB8v5RZskcfRKzY2ka2ABVPkIha9Tvt9z70xj0cNqAWU ffTAtmLWUC+JaD3VK3FZWQrrt49mPT42zVOdxCpqCey2W15y8MC6YF0LgTvs+hm9hPjW Omxnn6yaUQZ+eO8/UKW2lfMjyGLqntW1y+VydQdtk24oxuPjDPDqAcpzlgi04/r8KUL9 qZiRlGGloJQv/0nCAuya+RYI1A/UOPg3YK5CRZ7KQ3aIoGAYcDQmJNacNz5qCFKjOxT+ nW9DKL2+x28INvwtF75Ze/zFPb+/ZhXYvIHpOr7giWnb29XeGV0yyPQgRxshH+jXt5Tu 2TVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=nSlqKGOP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o5si4799015edz.312.2020.05.21.23.27.38; Thu, 21 May 2020 23:28:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=nSlqKGOP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728154AbgEVGZ4 (ORCPT + 99 others); Fri, 22 May 2020 02:25:56 -0400 Received: from mail26.static.mailgun.info ([104.130.122.26]:38462 "EHLO mail26.static.mailgun.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728137AbgEVGZ4 (ORCPT ); Fri, 22 May 2020 02:25:56 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1590128755; h=Message-ID: References: In-Reply-To: Subject: Cc: To: From: Date: Content-Transfer-Encoding: Content-Type: MIME-Version: Sender; bh=H359ESmKnUtSY7Q0hAO68B/54fVOQ0qzAvK2WHo9oz8=; b=nSlqKGOPTSt7Mxkmyc57AI+3wrGgD4yFjTaiNtsMTZ33a2dQEeI0iAugTmiePTEk1lHQuvcu zmTzcmMUjlDSVf5PqVkkLBRyH9ky1+xyFF5FTxfp4AsvTJz3mzSrBm428QYbOwRw6Co9OdsG s1pzRCLZVDYhNo53xw22d8oDa9E= X-Mailgun-Sending-Ip: 104.130.122.26 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by mxa.mailgun.org with ESMTP id 5ec77069.7fe5ffd92650-smtp-out-n05; Fri, 22 May 2020 06:25:45 -0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 1001) id CB1F3C433C6; Fri, 22 May 2020 06:25:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.codeaurora.org (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: guptap) by smtp.codeaurora.org (Postfix) with ESMTPSA id EB428C433C6; Fri, 22 May 2020 06:25:44 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 22 May 2020 11:55:44 +0530 From: guptap@codeaurora.org To: Robin Murphy , Andrew Morton Cc: mhocko@suse.com, joro@8bytes.org, linux-mm@kvack.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, owner-linux-mm@kvack.org, stable@vger.kernel.org Subject: Re: [PATCH] iommu/dma: limit iova free size to unmmaped iova In-Reply-To: <7aaa8dcc-6a47-f256-431d-2a1b034b4076@arm.com> References: <20200521113004.12438-1-guptap@codeaurora.org> <7aaa8dcc-6a47-f256-431d-2a1b034b4076@arm.com> Message-ID: <90662ef3123dbf2e93f9718ee5cc14a7@codeaurora.org> X-Sender: guptap@codeaurora.org User-Agent: Roundcube Webmail/1.3.9 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-05-22 01:46, Robin Murphy wrote: > On 2020-05-21 12:30, Prakash Gupta wrote: >> Limit the iova size while freeing based on unmapped size. In absence >> of >> this even with unmap failure, invalid iova is pushed to iova rcache >> and >> subsequently can cause panic while rcache magazine is freed. > > Can you elaborate on that panic? > We have seen couple of stability issues around this. Below is one such example: kernel BUG at kernel/msm-4.19/drivers/iommu/iova.c:904! iova_magazine_free_pfns iova_rcache_insert free_iova_fast __iommu_unmap_page iommu_dma_unmap_page It turned out an iova pfn 0 got into iova_rcache. One possibility I see is where client unmap with invalid dma_addr. The unmap call will fail and warn on and still try to free iova. This will cause invalid pfn to be inserted into rcache. As and when the magazine with invalid pfn will be freed private_find_iova() will return NULL for invalid iova and meet bug condition. >> Signed-off-by: Prakash Gupta >> >> :100644 100644 4959f5df21bd 098f7d377e04 M drivers/iommu/dma-iommu.c >> >> diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c >> index 4959f5df21bd..098f7d377e04 100644 >> --- a/drivers/iommu/dma-iommu.c >> +++ b/drivers/iommu/dma-iommu.c >> @@ -472,7 +472,8 @@ static void __iommu_dma_unmap(struct device *dev, >> dma_addr_t dma_addr, >> if (!cookie->fq_domain) >> iommu_tlb_sync(domain, &iotlb_gather); >> - iommu_dma_free_iova(cookie, dma_addr, size); >> + if (unmapped) >> + iommu_dma_free_iova(cookie, dma_addr, unmapped); > > Frankly, if any part of the unmap fails then things have gone > catastrophically wrong already, but either way this isn't right. The > IOVA API doesn't support partial freeing - an IOVA *must* be freed > with its original size, or not freed at all, otherwise it will corrupt > the state of the rcaches and risk a cascade of further misbehaviour > for future callers. > I agree, we shouldn't be freeing the partial iova. Instead just making sure if unmap was successful should be sufficient before freeing iova. So change can instead be something like this: - iommu_dma_free_iova(cookie, dma_addr, size); + if (unmapped) + iommu_dma_free_iova(cookie, dma_addr, size); > TBH my gut feeling here is that you're really just trying to treat a > symptom of another bug elsewhere, namely some driver calling > dma_unmap_* or dma_free_* with the wrong address or size in the first > place. > This condition would arise only if driver calling dma_unmap/free_* with 0 iova_pfn. This will be flagged with a warning during unmap but will trigger panic later on while doing unrelated dma_map/unmap_*. If unmapped has already failed for invalid iova, there is no reason we should consider this as valid iova and free. This part should be fixed. On 2020-05-22 00:19, Andrew Morton wrote: > I think we need a cc:stable here? > Added now. Thanks, Prakash