From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57162C433E1 for ; Fri, 22 May 2020 09:24:45 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 17765206C3 for ; Fri, 22 May 2020 09:24:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 17765206C3 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8CD4880007; Fri, 22 May 2020 05:24:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 87DBC80008; Fri, 22 May 2020 05:24:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7930080007; Fri, 22 May 2020 05:24:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0074.hostedemail.com [216.40.44.74]) by kanga.kvack.org (Postfix) with ESMTP id 5E7CC80008 for ; Fri, 22 May 2020 05:24:44 -0400 (EDT) Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 18BC7180AD811 for ; Fri, 22 May 2020 09:24:44 +0000 (UTC) X-FDA: 76843820088.08.bit21_4658c55773b61 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin08.hostedemail.com (Postfix) with ESMTP id EE08E1819E623; Fri, 22 May 2020 09:24:43 +0000 (UTC) X-HE-Tag: bit21_4658c55773b61 X-Filterd-Recvd-Size: 5450 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf06.hostedemail.com (Postfix) with ESMTP; Fri, 22 May 2020 09:24:43 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5A94A1042; Fri, 22 May 2020 02:24:42 -0700 (PDT) Received: from [10.57.2.168] (unknown [10.57.2.168]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EFA263F305; Fri, 22 May 2020 02:24:40 -0700 (PDT) Subject: Re: [PATCH] iommu/dma: limit iova free size to unmmaped iova To: guptap@codeaurora.org, Andrew Morton Cc: mhocko@suse.com, joro@8bytes.org, linux-mm@kvack.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, owner-linux-mm@kvack.org, stable@vger.kernel.org References: <20200521113004.12438-1-guptap@codeaurora.org> <7aaa8dcc-6a47-f256-431d-2a1b034b4076@arm.com> <90662ef3123dbf2e93f9718ee5cc14a7@codeaurora.org> From: Robin Murphy Message-ID: <2d873ab9-ebb9-3c2d-f129-55a036ab47d0@arm.com> Date: Fri, 22 May 2020 10:24:39 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <90662ef3123dbf2e93f9718ee5cc14a7@codeaurora.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2020-05-22 07:25, guptap@codeaurora.org wrote: > On 2020-05-22 01:46, Robin Murphy wrote: >> On 2020-05-21 12:30, Prakash Gupta wrote: >>> Limit the iova size while freeing based on unmapped size. In absence = of >>> this even with unmap failure, invalid iova is pushed to iova rcache a= nd >>> subsequently can cause panic while rcache magazine is freed. >> >> Can you elaborate on that panic? >> > We have seen couple of stability issues around this. > Below is one such example: >=20 > kernel BUG at kernel/msm-4.19/drivers/iommu/iova.c:904! > iova_magazine_free_pfns > iova_rcache_insert > free_iova_fast > __iommu_unmap_page > iommu_dma_unmap_page OK, so it's not some NULL dereference or anything completely unexpected,=20 that's good. > It turned out an iova pfn 0 got into iova_rcache. One possibility I see= is > where client unmap with invalid dma_addr. The unmap call will fail and=20 > warn on > and still try to free iova. This will cause invalid pfn to be inserted = into > rcache. As and when the magazine with invalid pfn will be freed > private_find_iova() will return NULL for invalid iova and meet bug=20 > condition. That would indeed be a bug in whatever driver made the offending=20 dma_unmap call. >>> Signed-off-by: Prakash Gupta >>> >>> :100644 100644 4959f5df21bd 098f7d377e04 M=C2=A0=C2=A0=C2=A0 drivers/= iommu/dma-iommu.c >>> >>> diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c >>> index 4959f5df21bd..098f7d377e04 100644 >>> --- a/drivers/iommu/dma-iommu.c >>> +++ b/drivers/iommu/dma-iommu.c >>> @@ -472,7 +472,8 @@ static void __iommu_dma_unmap(struct device *dev,= =20 >>> dma_addr_t dma_addr, >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (!cookie->fq_domain) >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 iommu_tlb_sync= (domain, &iotlb_gather); >>> -=C2=A0=C2=A0=C2=A0 iommu_dma_free_iova(cookie, dma_addr, size); >>> +=C2=A0=C2=A0=C2=A0 if (unmapped) >>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 iommu_dma_free_iova(cooki= e, dma_addr, unmapped); >> >> Frankly, if any part of the unmap fails then things have gone >> catastrophically wrong already, but either way this isn't right. The >> IOVA API doesn't support partial freeing - an IOVA *must* be freed >> with its original size, or not freed at all, otherwise it will corrupt >> the state of the rcaches and risk a cascade of further misbehaviour >> for future callers. >> > I agree, we shouldn't be freeing the partial iova. Instead just making > sure if unmap was successful should be sufficient before freeing iova.=20 > So change > can instead be something like this: >=20 > -=C2=A0=C2=A0=C2=A0 iommu_dma_free_iova(cookie, dma_addr, size); > +=C2=A0=C2=A0=C2=A0 if (unmapped) > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 iommu_dma_free_iova(cookie,= dma_addr, size); >=20 >> TBH my gut feeling here is that you're really just trying to treat a >> symptom of another bug elsewhere, namely some driver calling >> dma_unmap_* or dma_free_* with the wrong address or size in the first >> place. >> > This condition would arise only if driver calling dma_unmap/free_* with= 0 > iova_pfn. This will be flagged with a warning during unmap but will tri= gger > panic later on while doing unrelated dma_map/unmap_*. If unmapped has=20 > already > failed for invalid iova, there is no reason we should consider this as=20 > valid > iova and free. This part should be fixed. I disagree. In general, if drivers call the DMA API incorrectly it is=20 liable to lead to data loss, memory corruption, and various other=20 unpleasant misbehaviour - it is not the DMA layer's job to attempt to=20 paper over driver bugs. There *is* an argument for downgrading the BUG_ON() in=20 iova_magazine_free_pfns() to a WARN_ON(), since frankly it isn't a=20 sufficiently serious condition to justify killing the whole machine=20 immediately, but NAK to bodging the iommu-dma mid-layer to "fix" that. A=20 serious bug already happened elsewhere, so trying to hide the fallout=20 really doesn't help anyone. Robin. > On 2020-05-22 00:19, Andrew Morton wrote: >> I think we need a cc:stable here? >> > Added now. >=20 > Thanks, > Prakash