Re: [PATCH v4 2/3] iommu/iova: Avoid double-negatives in magazine helpers

From: John Garry
Date: Mon Jan 18 2021 - 05:13:52 EST

Next message: Laurent Pinchart: "Re: [PATCH 2/3] drm/ingenic: Register devm action to cleanup encoders"
Previous message: Marc Zyngier: "[PATCH v4 02/21] arm64: Fix outdated TCR setup comment"
Next in thread: Jean-Philippe Brucker: "Re: [PATCH v4 2/3] iommu/iova: Avoid double-negatives in magazine helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15/01/2021 17:30, Jean-Philippe Brucker wrote:

On Thu, Dec 10, 2020 at 02:23:08AM +0800, John Garry wrote:

A similar crash to the following could be observed if initial CPU rcache
magazine allocations fail in init_iova_rcaches():

thanks for having a look

Any idea why that's happening? This fix seems ok but if we're expecting
allocation failures for the loaded magazine then we could easily get it
for cpu_rcaches too, and get a similar abort at runtime.

It's not specifically that we expect them (allocation failures for the loaded magazine), rather we should make safe against it.

So could you be more specific in your concern for the cpu_rcache failure? cpu_rcache magazine assignment comes from this logic.

Anyway, logic like "if not full" or "if not empty" is poor as the outcome for NULL is ambiguous (maybe there's a better word) and the code is not safe against it, and so I replace with "if space" or "if have an IOVA", respectively.

Thanks,
John

Thanks,
Jean

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:

free_iova_fast+0xfc/0x280
iommu_dma_free_iova+0x64/0x70
__iommu_dma_unmap+0x9c/0xf8
iommu_dma_unmap_sg+0xa8/0xc8
dma_unmap_sg_attrs+0x28/0x50
cq_thread_v3_hw+0x2dc/0x528
irq_thread_fn+0x2c/0xa0
irq_thread+0x130/0x1e0
kthread+0x154/0x158
ret_from_fork+0x10/0x34

The issue is that expression !iova_magazine_full(NULL) evaluates true; this
falls over in __iova_rcache_insert() when we attempt to cache a mag and
cpu_rcache->loaded == NULL:

if (!iova_magazine_full(cpu_rcache->loaded)) {
can_insert = true;
...

if (can_insert)
iova_magazine_push(cpu_rcache->loaded, iova_pfn);

As above, can_insert is evaluated true, which it shouldn't be, and we try
to insert pfns in a NULL mag, which is not safe.

To avoid this, stop using double-negatives, like !iova_magazine_full() and
!iova_magazine_empty(), and use positive tests, like
iova_magazine_has_space() and iova_magazine_has_pfns(), respectively; these
can safely deal with cpu_rcache->{loaded, prev} = NULL.

Signed-off-by: John Garry <john.garry@xxxxxxxxxx>
Tested-by: Xiang Chen <chenxiang66@xxxxxxxxxxxxx>
Reviewed-by: Zhen Lei <thunder.leizhen@xxxxxxxxxx>

---
drivers/iommu/iova.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/drivers/iommu/iova.c b/drivers/iommu/iova.c
index cf1aacda2fe4..732ee687e0e2 100644
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -767,14 +767,18 @@ iova_magazine_free_pfns(struct iova_magazine *mag, struct iova_domain *iovad)
mag->size = 0;
}
-static bool iova_magazine_full(struct iova_magazine *mag)
+static bool iova_magazine_has_space(struct iova_magazine *mag)
{
- return (mag && mag->size == IOVA_MAG_SIZE);
+ if (!mag)
+ return false;
+ return mag->size < IOVA_MAG_SIZE;
}
-static bool iova_magazine_empty(struct iova_magazine *mag)
+static bool iova_magazine_has_pfns(struct iova_magazine *mag)
{
- return (!mag || mag->size == 0);
+ if (!mag)
+ return false;
+ return mag->size;
}
static unsigned long iova_magazine_pop(struct iova_magazine *mag,
@@ -783,7 +787,7 @@ static unsigned long iova_magazine_pop(struct iova_magazine *mag,
int i;
unsigned long pfn;
- BUG_ON(iova_magazine_empty(mag));
+ BUG_ON(!iova_magazine_has_pfns(mag));
/* Only fall back to the rbtree if we have no suitable pfns at all */
for (i = mag->size - 1; mag->pfns[i] > limit_pfn; i--)
@@ -799,7 +803,7 @@ static unsigned long iova_magazine_pop(struct iova_magazine *mag,
static void iova_magazine_push(struct iova_magazine *mag, unsigned long pfn)
{
- BUG_ON(iova_magazine_full(mag));
+ BUG_ON(!iova_magazine_has_space(mag));
mag->pfns[mag->size++] = pfn;
}
@@ -845,9 +849,9 @@ static bool __iova_rcache_insert(struct iova_domain *iovad,
cpu_rcache = raw_cpu_ptr(rcache->cpu_rcaches);
spin_lock_irqsave(&cpu_rcache->lock, flags);
- if (!iova_magazine_full(cpu_rcache->loaded)) {
+ if (iova_magazine_has_space(cpu_rcache->loaded)) {
can_insert = true;
- } else if (!iova_magazine_full(cpu_rcache->prev)) {
+ } else if (iova_magazine_has_space(cpu_rcache->prev)) {
swap(cpu_rcache->prev, cpu_rcache->loaded);
can_insert = true;
} else {
@@ -856,8 +860,9 @@ static bool __iova_rcache_insert(struct iova_domain *iovad,
if (new_mag) {
spin_lock(&rcache->lock);
if (rcache->depot_size < MAX_GLOBAL_MAGS) {
- rcache->depot[rcache->depot_size++] =
- cpu_rcache->loaded;
+ if (cpu_rcache->loaded)
+ rcache->depot[rcache->depot_size++] =
+ cpu_rcache->loaded;
} else {
mag_to_free = cpu_rcache->loaded;
}
@@ -908,9 +913,9 @@ static unsigned long __iova_rcache_get(struct iova_rcache *rcache,
cpu_rcache = raw_cpu_ptr(rcache->cpu_rcaches);
spin_lock_irqsave(&cpu_rcache->lock, flags);
- if (!iova_magazine_empty(cpu_rcache->loaded)) {
+ if (iova_magazine_has_pfns(cpu_rcache->loaded)) {
has_pfn = true;
- } else if (!iova_magazine_empty(cpu_rcache->prev)) {
+ } else if (iova_magazine_has_pfns(cpu_rcache->prev)) {
swap(cpu_rcache->prev, cpu_rcache->loaded);
has_pfn = true;
} else {
--
2.26.2

_______________________________________________
iommu mailing list
iommu@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/iommu

.

Next message: Laurent Pinchart: "Re: [PATCH 2/3] drm/ingenic: Register devm action to cleanup encoders"
Previous message: Marc Zyngier: "[PATCH v4 02/21] arm64: Fix outdated TCR setup comment"
Next in thread: Jean-Philippe Brucker: "Re: [PATCH v4 2/3] iommu/iova: Avoid double-negatives in magazine helpers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]