From: Steven Sistare <steven.sistare@oracle.com>
To: Alex Williamson <alex.williamson@redhat.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Cc: kbuild@lists.01.org, lkp@intel.com, kbuild-all@lists.01.org,
Linux Memory Management List <linux-mm@kvack.org>,
Cornelia Huck <cohuck@redhat.com>
Subject: Re: [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
Date: Tue, 23 Feb 2021 08:56:36 -0500 [thread overview]
Message-ID: <de835b3f-8aef-2879-f637-97a24e810570@oracle.com> (raw)
In-Reply-To: <20210222161753.7acc4e92@omen.home.shazbot.org>
On 2/22/2021 6:17 PM, Alex Williamson wrote:
> On Mon, 22 Feb 2021 15:51:45 -0700
> Alex Williamson <alex.williamson@redhat.com> wrote:
>
>> On Mon, 22 Feb 2021 17:10:43 +0300
>> Dan Carpenter <dan.carpenter@oracle.com> wrote:
>>
>>> tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
>>> head: 37dfbfbdca66834bc0f64ec9b35e09ac6c8898da
>>> commit: 0f53afa12baec8c00f5d1d6afb49325ada105253 [6931/12022] vfio/type1: unmap cleanup
>>
>> It's always the patches that claim no functional change... ;)
>>
>>> config: i386-randconfig-m021-20210222 (attached as .config)
>>> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
>>>
>>> If you fix the issue, kindly add following tag as appropriate
>>> Reported-by: kernel test robot <lkp@intel.com>
>>> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
>>>
>>> New smatch warnings:
>>> drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
>>>
>>> vim +1093 drivers/vfio/vfio_iommu_type1.c
>>>
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1071 static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1072 struct vfio_iommu_type1_dma_unmap *unmap,
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1073 struct vfio_bitmap *bitmap)
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1074 {
>>> c086de818dd81c Kirti Wankhede 2016-11-17 1075 struct vfio_dma *dma, *dma_last = NULL;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1076 size_t unmapped = 0, pgsize;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1077 int ret = -EINVAL, retries = 0;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1078 unsigned long pgshift;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1079 dma_addr_t iova = unmap->iova;
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1080 unsigned long size = unmap->size;
>>> ^^^^^^^^^^^^^^^^^^
>>>
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1081
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1082 mutex_lock(&iommu->lock);
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1083
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1084 pgshift = __ffs(iommu->pgsize_bitmap);
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1085 pgsize = (size_t)1 << pgshift;
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1086
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1087 if (iova & (pgsize - 1))
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1088 goto unlock;
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1089
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 1090 if (!size || size & (pgsize - 1))
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1091 goto unlock;
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1092
>>> 0f53afa12baec8 Steve Sistare 2021-01-29 @1093 if (iova + size - 1 < iova || size > SIZE_MAX)
>>>
>>> size is unsigned long and SIZE_MAX is ULONG_MAX so "size > SIZE_MAX"
>>> does not make sense.
>>
>> I think it made sense before the above commit, where unmap->size is a
>> __u64 and a user could provide a value that exceeds SIZE_MAX on ILP32.
>> Seems like the fix is probably to use a size_t for the local variable
>> and restore this test to compare (unmap->size > SIZE_MAX). Steve?
>
> Actually it seems like VFIO_DMA_UNMAP_FLAG_ALL doesn't work when
> PHYS_ADDR_MAX != SIZE_MAX (ex. x86 PAE - I think).
It seems like PAE causes problems even before VFIO_DMA_UNMAP_FLAG_ALL.
In the previous vfio_dma_do_unmap code, the u64 unmap->size would be
truncated when passed to vfio_find_dma.
For unmap, these fixes should suffice, and I would rather do this than
disable the unmap-all flag for a corner case:
vfio_dma_do_unmap()
size_t unmapped = 0;
unsigned long size = unmap->size;
==>
u64 unmapped = 0;
u64 size = unmap->size;
static struct rb_node *vfio_find_dma_first_node(
struct vfio_iommu *iommu, dma_addr_t start, size_t size)
==>
static struct rb_node *vfio_find_dma_first_node(
struct vfio_iommu *iommu, dma_addr_t start, u64 size)
And maybe use dma_addr_t instead of u64 in the above (which is 64 bits for
CONFIG_X86_PAE).
However, there are other places in the existing code that need tweaking
to be safe for PAE, the vfio_find_dma() size arg for one.
- Steve
> I can't say I'm
> really interested in adding complexity to make it work in such a case
> either. Maybe we can just not expose it, ex:
>
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index ed03f3fcb07e..6b69a74b3db0 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -1207,7 +1207,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> int ret = -EINVAL, retries = 0;
> unsigned long pgshift;
> dma_addr_t iova = unmap->iova;
> - unsigned long size = unmap->size;
> + size_t size = unmap->size;
> bool unmap_all = unmap->flags & VFIO_DMA_UNMAP_FLAG_ALL;
> bool invalidate_vaddr = unmap->flags & VFIO_DMA_UNMAP_FLAG_VADDR;
> struct rb_node *n, *first_n;
> @@ -1228,7 +1228,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> goto unlock;
> }
>
> - if (iova + size - 1 < iova || size > SIZE_MAX)
> + if (iova + size - 1 < iova || unmap->size > SIZE_MAX)
> goto unlock;
>
> /* When dirty tracking is enabled, allow only min supported pgsize */
> @@ -2657,9 +2657,10 @@ static int vfio_iommu_type1_check_extension(struct vfio_iommu *iommu,
> case VFIO_TYPE1_IOMMU:
> case VFIO_TYPE1v2_IOMMU:
> case VFIO_TYPE1_NESTING_IOMMU:
> - case VFIO_UNMAP_ALL:
> case VFIO_UPDATE_VADDR:
> return 1;
> + case VFIO_UNMAP_ALL:
> + return PHYS_ADDR_MAX == SIZE_MAX ? 1 : 0;
> case VFIO_DMA_CC_IOMMU:
> if (!iommu)
> return 0;
> @@ -2868,6 +2869,10 @@ static int vfio_iommu_type1_unmap_dma(struct vfio_iommu *iommu,
> VFIO_DMA_UNMAP_FLAG_VADDR)))
> return -EINVAL;
>
> + if ((PHYS_ADDR_MAX != SIZE_MAX) &&
> + (unmap.flags & VFIO_DMA_UNMAP_FLAG_ALL))
> + return -EINVAL;
> +
> if (unmap.flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) {
> unsigned long pgshift;
>
>
>
>
>
>>> Is the " - 1" intentional on the other overflow check? As in it's okay
>>> to wrap around to zero but not further than that? Sometimes this is
>>> intentional but it requires more subsystem expertise than I possess.
>>
>> Yes, since we're dealing with a start + length we need to account for
>> the -1 in the end value, otherwise the user could never unmap the last
>> page of the address space. Thanks for the report!
>>
>> Alex
>>
>>> cade075f265b25 Kirti Wankhede 2020-05-29 1094 goto unlock;
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1095
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1096 /* When dirty tracking is enabled, allow only min supported pgsize */
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1097 if ((unmap->flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) &&
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1098 (!iommu->dirty_page_tracking || (bitmap->pgsize != pgsize))) {
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1099 goto unlock;
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1100 }
>>> 73fa0d10d077d9 Alex Williamson 2012-07-31 1101
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1102 WARN_ON((pgsize - 1) & PAGE_MASK);
>>> 331e33d2960c82 Kirti Wankhede 2020-05-29 1103 again:
>>> 1ef3e2bc04223f Alex Williamson 2014-02-26 1104 /*
>>>
>>> ---
>>> 0-DAY CI Kernel Test Service, Intel Corporation
>>> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
>>
>
next prev parent reply other threads:[~2021-02-23 13:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-22 14:10 Dan Carpenter
2021-02-22 22:51 ` Alex Williamson
2021-02-22 23:17 ` Alex Williamson
2021-02-23 13:56 ` Steven Sistare [this message]
2021-02-23 17:45 ` Alex Williamson
2021-02-23 20:37 ` Steven Sistare
2021-02-23 21:10 ` Alex Williamson
2021-02-23 21:52 ` Steven Sistare
2021-02-23 23:58 ` Steven Sistare
2021-02-24 22:55 ` Alex Williamson
2021-02-25 15:25 ` Steven Sistare
2021-02-25 18:00 ` Alex Williamson
2021-02-25 18:52 ` Steven Sistare
2021-02-25 19:12 ` Alex Williamson
2021-02-23 13:20 ` Steven Sistare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=de835b3f-8aef-2879-f637-97a24e810570@oracle.com \
--to=steven.sistare@oracle.com \
--cc=alex.williamson@redhat.com \
--cc=cohuck@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox