Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp5784534ioo; Wed, 1 Jun 2022 12:31:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtjp1cYGVqCUrdKOSR1pu1xX8RJouJMLt3pbjlIEXPdffUZFHwKftAHfl6KdqmsoSiGz3T X-Received: by 2002:a17:902:9696:b0:158:f809:310e with SMTP id n22-20020a170902969600b00158f809310emr1057983plp.16.1654111918542; Wed, 01 Jun 2022 12:31:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654111918; cv=none; d=google.com; s=arc-20160816; b=XJ2nOqzUSgcwwwwSWhEP9ziS6si7EDv9Wtt3GCsTTVWxanQyMESOldNj0UcJgZyJWP AlAwxPmH7k39FC/VgxhvO489XduHf9kkCs5TPV43eQxNv2eYTTcXtH7VBlUEK0mDauCz pKyDmT5TkePjiWqAxFkyjp6lSisbair18NUWFCa+ib1nCXnah3NcwiEyQbCQLncm77Oo TI0wAXYn+bGyen5+nrqmgY4n6Lr7eMmTKT1bDOL/SuJfSt/yObQlAf9VLvSdKLwtM5Ko NrxVvZMPYuQh68HrPw3cAjiAvT81/6iVLw/o0f5geLGgJFexp7tL8iRYG4yhai6FCoeL Mj1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=Z2Ky3BhmVZCP6nQJsAzLenh1k2tIAiuPv7c6Ywt4xp0=; b=KiNZyMCUs69xgjhsjFD+aLAvhasUrPfa16NqFo47fTvhgns4xiunZPbs4urG43YrFj JNcy9CHZYeUn79CuxvBX00k5wULhNvijN8V8zCElH5uZlhwhdZPhs1FfPUX0SRWzWuSH euo3/QDMFplHNDIwoWkTLLYAJaPxpWrKbXOpyqXhu8SXCyRcpzJ0G6ZHQshWlWLZNeMn ypBUogcGMLXNFy42cOh+TKpsw+zBNLSmlZyAx14Zy3H3R8LiduzLv91P8vSuip5IH4Kb Ag7jCYB6fXvWzqEZNZKlTlNVHBJakEaJfupVwmxPMCU1yKA2qOywJBEs5PcPoDP/KOA0 FRqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cybernetics.com header.s=mail header.b=l4gmGdtE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cybernetics.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n8-20020a6546c8000000b003c142e9d0f7si3312091pgr.557.2022.06.01.12.31.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jun 2022 12:31:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@cybernetics.com header.s=mail header.b=l4gmGdtE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cybernetics.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 93AFB6B7D3; Wed, 1 Jun 2022 12:02:10 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346953AbiEaSSr (ORCPT + 99 others); Tue, 31 May 2022 14:18:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346947AbiEaSSo (ORCPT ); Tue, 31 May 2022 14:18:44 -0400 Received: from mail.cybernetics.com (mail.cybernetics.com [173.71.130.66]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5AE0B8DDE8 for ; Tue, 31 May 2022 11:18:42 -0700 (PDT) X-ASG-Debug-ID: 1654021121-1cf43917f334b070001-xx1T2L Received: from cybernetics.com ([10.10.4.126]) by mail.cybernetics.com with ESMTP id yj29GjpIIDRwn4BW; Tue, 31 May 2022 14:18:41 -0400 (EDT) X-Barracuda-Envelope-From: tonyb@cybernetics.com X-ASG-Whitelist: Client DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cybernetics.com; s=mail; bh=Z2Ky3BhmVZCP6nQJsAzLenh1k2tIAiuPv7c6Ywt4xp0=; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Cc:To:From: Content-Language:Subject:MIME-Version:Date:Message-ID; b=l4gmGdtEEc475y+cPS0i b3CXKfRcWn4bzL+nlsGSrpLAqCAgnrQN4vO8XeOkunQPpE6QaJJS41Y/Ya9CMBv8n21a+SHmXaAVC XqS+12dpa3XgoD+yv6qzm0y6xH8gkXnhke2W5TRMUbJSCpDTjZ3EVBmeUajwr+X7dja0fJwqU8= Received: from [10.157.2.224] (HELO [192.168.200.1]) by cybernetics.com (CommuniGate Pro SMTP 7.1.1) with ESMTPS id 11829213; Tue, 31 May 2022 14:18:41 -0400 Message-ID: <0c6c1548-6e3a-0d8d-4bb7-471fdfb403ca@cybernetics.com> Date: Tue, 31 May 2022 14:18:41 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: [PATCH 05/10] dmapool: debug: prevent endless loop in case of corruption Content-Language: en-US X-ASG-Orig-Subj: [PATCH 05/10] dmapool: debug: prevent endless loop in case of corruption From: Tony Battersby To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: iommu@lists.linux-foundation.org, kernel-team@fb.com, Matthew Wilcox , Keith Busch , Andy Shevchenko , Robin Murphy , Tony Lindgren References: <9b08ab7c-b80b-527d-9adf-7716b0868fbc@cybernetics.com> In-Reply-To: <9b08ab7c-b80b-527d-9adf-7716b0868fbc@cybernetics.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Barracuda-Connect: UNKNOWN[10.10.4.126] X-Barracuda-Start-Time: 1654021121 X-Barracuda-URL: https://10.10.4.122:443/cgi-mod/mark.cgi X-Barracuda-BRTS-Status: 1 X-Virus-Scanned: by bsmtpd at cybernetics.com X-Barracuda-Scan-Msg-Size: 1849 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Prevent a possible endless loop with DMAPOOL_DEBUG enabled if a buggy driver corrupts DMA pool memory. Signed-off-by: Tony Battersby --- mm/dmapool.c | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/mm/dmapool.c b/mm/dmapool.c index 9e30f4425dea..7a9161d4f7a6 100644 --- a/mm/dmapool.c +++ b/mm/dmapool.c @@ -426,16 +426,39 @@ void dma_pool_free(struct dma_pool *pool, void *vaddr, dma_addr_t dma) } { unsigned int chain = page->offset; + unsigned int free_blks = 0; + while (chain < pool->allocation) { - if (chain != offset) { - chain = *(int *)(page->vaddr + chain); - continue; + if (unlikely(chain == offset)) { + spin_unlock_irqrestore(&pool->lock, flags); + dev_err(pool->dev, + "%s %s, dma %pad already free\n", + __func__, pool->name, &dma); + return; } - spin_unlock_irqrestore(&pool->lock, flags); - dev_err(pool->dev, "%s %s, dma %pad already free\n", - __func__, pool->name, &dma); - return; + + /* + * A buggy driver could corrupt the freelist by + * use-after-free, buffer overflow, etc. Besides + * checking for corruption, this also prevents an + * endless loop in case corruption causes a circular + * loop in the freelist. + */ + if (unlikely(++free_blks + page->in_use > + pool->blks_per_alloc)) { + freelist_corrupt: + spin_unlock_irqrestore(&pool->lock, flags); + dev_err(pool->dev, + "%s %s, freelist corrupted\n", + __func__, pool->name); + return; + } + + chain = *(int *)(page->vaddr + chain); } + if (unlikely(free_blks + page->in_use != + pool->blks_per_alloc)) + goto freelist_corrupt; } memset(vaddr, POOL_POISON_FREED, pool->size); #endif -- 2.25.1