Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp192030pxx; Wed, 28 Oct 2020 02:16:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyvOt7BBqnzPgLEc3oEO/06H6NMqtVkwbQx79R10av8aWsl+W2Jo5ssbxLvKam0KXlbYZw0 X-Received: by 2002:a17:906:5402:: with SMTP id q2mr6528597ejo.316.1603876593425; Wed, 28 Oct 2020 02:16:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603876593; cv=none; d=google.com; s=arc-20160816; b=X6vHZSIKms+tvhhLcX7bImR+aMBFQdx3qY++d7tXQOvG1i3h3Fyr8RgQm4K/tnBI63 ub0dRimQYIgHEo8AE/Jg4VvarCgBjCdvaF0g+tzs4OhBsMbArFKTLBDYAgetkZXy6uap m1xNYN6+ctu5d9sXrZ+xGAuPvPq+Nn9KOBWETWZf3BoNKEuJPr9vxSQBuFGtOW3zPjqB njN7L9Yj/aBEl+UsZ6lVupqnFwsNJxixvqSmp/Z0k6M0QKRual2yp0+nDZqs204kqQ9J HBD1v/RqKvEa9dj2wEWWGakhFyHYadRZgZ6UbrotR8c9013THWKJCaH0YIoqGIKpQljy /I0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=uOQNvLJOlecZq7uz6QkXEdnTrLzuYt8VJGa737TIDmI=; b=JmvDq2mED9X7YH8mIblmP0yPAD3YxA68p9f2hFWQlZ8wPU/WO5d0plvDMODZLUYNON M/7xoxls2pjP51vS5WT2RYAR8AbRjiRUyVVRUj35OBSgc8IiV7PPybfhnlhnzk8olPlM cuEU5h4Y9fD19QtEh6U/9AX971ipEEMTpucFxW/J3vxTArqzV7K9OBEIcRzzlteWrLaz yv79Gfr7YsqpCtANJ8LFQ45/I97L2Z80HQSZ9LQ3YZ6f/wL/aVvrY7Zi3BbPZE/1EoIr D3HGPvAUz12ChFKyiDrPr4tlzwiO24oKKyheJIw4gOKS36Ibv/2l1VtrWnWGQUIqqAsZ f1nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=inU3ojZP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q18si2524555edb.466.2020.10.28.02.16.11; Wed, 28 Oct 2020 02:16:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=inU3ojZP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756643AbgJ0OSd (ORCPT + 99 others); Tue, 27 Oct 2020 10:18:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:36988 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756906AbgJ0OPL (ORCPT ); Tue, 27 Oct 2020 10:15:11 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 14AE1206F7; Tue, 27 Oct 2020 14:15:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603808110; bh=c+hKADWJK/1wsGh/aViROL3bcWaIRh94iWjLK3xVe/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=inU3ojZPLkZAlYpJO2Wl+izwcR+iRdeUInnw0RL9hZB1d64Maw69vpPUApjLHSgaE 4QfiLMe8GH8+D/MUm8gvBxlW3MMl2ET4iC9lnE0v5BKAChOTU+6KXvvVS4vJ020NRf zu0DO/pfBYjfCy897ACpX7I5+eiX5Jbrmix2ssaA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sherry Sun , Joakim Zhang , Sasha Levin Subject: [PATCH 4.14 160/191] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic Date: Tue, 27 Oct 2020 14:50:15 +0100 Message-Id: <20201027134917.411900072@linuxfoundation.org> X-Mailer: git-send-email 2.29.1 In-Reply-To: <20201027134909.701581493@linuxfoundation.org> References: <20201027134909.701581493@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sherry Sun [ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ] Since struct _mic_vring_info and vring are allocated together and follow vring, if the vring_size() is not four bytes aligned, which will cause the start address of struct _mic_vring_info is not four byte aligned. For example, when vring entries is 128, the vring_size() will be 5126 bytes. The _mic_vring_info struct layout in ddr looks like: 0x90002400: 00000000 00390000 EE010000 0000C0FF Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member. When EP use ioread32(magic) to reads the magic in RC's share memory, it will cause kernel panic on ARM64 platform due to the cross-byte io read. Here read magic in user space use le32toh(vr0->info->magic) will meet the same issue. So add round_up(x,4) for vring_size, then the struct _mic_vring_info will store in this way: 0x90002400: 00000000 00000000 00000039 C0FFEE01 Which will avoid kernel panic when read magic in struct _mic_vring_info. Signed-off-by: Sherry Sun Signed-off-by: Joakim Zhang Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/misc/mic/vop/vop_main.c | 2 +- drivers/misc/mic/vop/vop_vringh.c | 4 ++-- samples/mic/mpssd/mpssd.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/misc/mic/vop/vop_main.c b/drivers/misc/mic/vop/vop_main.c index a341938c7e2c6..e7cb57f8ddfe2 100644 --- a/drivers/misc/mic/vop/vop_main.c +++ b/drivers/misc/mic/vop/vop_main.c @@ -301,7 +301,7 @@ static struct virtqueue *vop_find_vq(struct virtio_device *dev, /* First assign the vring's allocated in host memory */ vqconfig = _vop_vq_config(vdev->desc) + index; memcpy_fromio(&config, vqconfig, sizeof(config)); - _vr_size = vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN); + _vr_size = round_up(vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN), 4); vr_size = PAGE_ALIGN(_vr_size + sizeof(struct _mic_vring_info)); va = vpdev->hw_ops->ioremap(vpdev, le64_to_cpu(config.address), vr_size); diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c index 99bde52a3a256..49e7a7240469c 100644 --- a/drivers/misc/mic/vop/vop_vringh.c +++ b/drivers/misc/mic/vop/vop_vringh.c @@ -308,7 +308,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, num = le16_to_cpu(vqconfig[i].num); mutex_init(&vvr->vr_mutex); - vr_size = PAGE_ALIGN(vring_size(num, MIC_VIRTIO_RING_ALIGN) + + vr_size = PAGE_ALIGN(round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4) + sizeof(struct _mic_vring_info)); vr->va = (void *) __get_free_pages(GFP_KERNEL | __GFP_ZERO, @@ -320,7 +320,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev, goto err; } vr->len = vr_size; - vr->info = vr->va + vring_size(num, MIC_VIRTIO_RING_ALIGN); + vr->info = vr->va + round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4); vr->info->magic = cpu_to_le32(MIC_MAGIC + vdev->virtio_id + i); vr_addr = dma_map_single(&vpdev->dev, vr->va, vr_size, DMA_BIDIRECTIONAL); diff --git a/samples/mic/mpssd/mpssd.c b/samples/mic/mpssd/mpssd.c index 49db1def1721c..84e583ab8fd0c 100644 --- a/samples/mic/mpssd/mpssd.c +++ b/samples/mic/mpssd/mpssd.c @@ -414,9 +414,9 @@ mic_virtio_copy(struct mic_info *mic, int fd, static inline unsigned _vring_size(unsigned int num, unsigned long align) { - return ((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) + return _ALIGN_UP(((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num) + align - 1) & ~(align - 1)) - + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num; + + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num, 4); } /* -- 2.25.1