Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9334371rwl; Wed, 11 Jan 2023 04:35:03 -0800 (PST) X-Google-Smtp-Source: AMrXdXswpe3ifSDDDfXQxlaljB6o1fG+FzFmg4hmk5fM2KS9fNX7PweVWcdz32bN2zO/scpGalXB X-Received: by 2002:a17:906:54d1:b0:84d:3819:79b9 with SMTP id c17-20020a17090654d100b0084d381979b9mr14009536ejp.71.1673440503767; Wed, 11 Jan 2023 04:35:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673440503; cv=none; d=google.com; s=arc-20160816; b=WNezKBSCoA5O01GZp7XsDXfEfSs7IKehw2yZEZUZbNEvKDvhfWT89+tEcfPxRXCa1o 7V5DecVanTJ79WjGDhRiyIXNj0R9UJXKRYhKDJsqXjCY0EOxVAfGQ59Rn+Ms7ak00RwY W/wFE8N7jarUBYDN1zPz7dumuuEMr3PbNwFl/zWtoShxO16bvqtICcA6sxag9eysAABl oJw24JocqxHORpFpIl6o1F5ymLsf6OWDzSrlp2avgjOusTxzQxoBXtd7V+N7USdiY+uk MEH00uboyTr/UYtYvYoBvNLQfpDN+yaBXR3UJPv5fl7VqQKVm8rnZNlCzuylcalnMyFF qaBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=MOgbzEn3kTlo8t1d+qHc1uVXnLml6p855i7Aw77M5aQ=; b=bfGyip5Mk+S9SxvA5iA9z5qQXvkc/dHakLHcg93Tc8jeUNQenYQv1SgxT7Tt78Gwc8 jvopkTE+i/9Y9lHaaFbx1cXguZSMMz7BrotvBweHOWiK+Vf7n4X5aCMKhFmpil295B0n BRRep2Qa4gOqJKxpZeqtviBGo6DOf9OOrhdDlXrC3wXgzIjKABVCFMyUF0ZoET4DFKIR UefVw0o0pLD/pOxUvOQS2QNkAxdgcCj0Wlf6FO4VSZoXwEpAb5De1L4kgip/ag6D+Vjn TowyDfX5l8fMYMWNy+UNcqyRTXon8y/my3JlypTA7oQF7if2zsSs6eEXY3x18NDgis4a 1hRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s10-20020a056402520a00b004617facf124si17724115edd.253.2023.01.11.04.34.50; Wed, 11 Jan 2023 04:35:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232667AbjAKML3 (ORCPT + 55 others); Wed, 11 Jan 2023 07:11:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33018 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233530AbjAKMLO (ORCPT ); Wed, 11 Jan 2023 07:11:14 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2ED97262A; Wed, 11 Jan 2023 04:11:12 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F1F2BFEC; Wed, 11 Jan 2023 04:11:53 -0800 (PST) Received: from [10.57.68.138] (unknown [10.57.68.138]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D7D313F71A; Wed, 11 Jan 2023 04:11:09 -0800 (PST) Message-ID: <02f259fe-1c6f-834b-c29d-aaf2a0595adb@arm.com> Date: Wed, 11 Jan 2023 12:11:04 +0000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: [PATCH v2] iommu/iova: Fix alloc iova overflows issue Content-Language: en-GB To: yf.wang@mediatek.com, Joerg Roedel , Will Deacon , Matthias Brugger , "open list:IOMMU DMA-API LAYER" , open list , "moderated list:ARM/Mediatek SoC support" , "moderated list:ARM/Mediatek SoC support" Cc: wsd_upstream@mediatek.com, stable@vger.kernel.org, Libo Kang , Yong Wu , Ning Li , jianjiao zeng References: <20230111063801.25107-1-yf.wang@mediatek.com> From: Robin Murphy In-Reply-To: <20230111063801.25107-1-yf.wang@mediatek.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023-01-11 06:38, yf.wang@mediatek.com wrote: > From: Yunfei Wang > > In __alloc_and_insert_iova_range, there is an issue that retry_pfn > overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when > iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will > overflow. As a result, if the retry logic is executed, low_pfn is > updated to 0, and then new_pfn < low_pfn returns false to make the > allocation successful. > > This issue occurs in the following two situations: > 1. The first iova size exceeds the domain size. When initializing > iova domain, iovad->cached_node is assigned as iovad->anchor. For > example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, > and the iova size allocated for the first time is 11M. The > following is the log information, new->pfn_lo is smaller than > iovad->cached_node. > > Example log as follows: > [ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range > start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00 > [ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range > success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff > > 2. The node with the largest iova->pfn_lo value in the iova domain > is deleted, iovad->cached_node will be updated to iovad->anchor, > and then the alloc iova size exceeds the maximum iova size that can > be allocated in the domain. > > After judging that retry_pfn is less than limit_pfn, call retry_pfn+1 > to fix the overflow issue. > > Signed-off-by: jianjiao zeng > Signed-off-by: Yunfei Wang > Cc: # 5.15.* Fixes: 4e89dce72521 ("iommu/iova: Retry from last rb tree node if iova search fails") Acked-by: Robin Murphy > --- > v2: Update patch > 1. Cc stable@vger.kernel.org > This patch needs to be merged stable branch, > add stable@vger.kernel.org in mail list. > 2. Refer robin's suggestion to update patch. > > --- > drivers/iommu/iova.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c > index a44ad92fc5eb..fe452ce46642 100644 > --- a/drivers/iommu/iova.c > +++ b/drivers/iommu/iova.c > @@ -197,7 +197,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad, > > curr = __get_cached_rbnode(iovad, limit_pfn); > curr_iova = to_iova(curr); > - retry_pfn = curr_iova->pfn_hi + 1; > + retry_pfn = curr_iova->pfn_hi; > > retry: > do { > @@ -211,7 +211,7 @@ static int __alloc_and_insert_iova_range(struct iova_domain *iovad, > if (high_pfn < size || new_pfn < low_pfn) { > if (low_pfn == iovad->start_pfn && retry_pfn < limit_pfn) { > high_pfn = limit_pfn; > - low_pfn = retry_pfn; > + low_pfn = retry_pfn + 1; > curr = iova_find_limit(iovad, limit_pfn); > curr_iova = to_iova(curr); > goto retry;