From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B30E7F for ; Mon, 1 Aug 2022 18:48:01 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CAE8F139F; Mon, 1 Aug 2022 11:48:01 -0700 (PDT) Received: from [10.57.10.23] (unknown [10.57.10.23]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1EFDF3F67D; Mon, 1 Aug 2022 11:47:58 -0700 (PDT) Message-ID: <15735fab-e53d-e95d-84f8-ae2e435dbb78@arm.com> Date: Mon, 1 Aug 2022 19:47:54 +0100 Precedence: bulk X-Mailing-List: iommu@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH] dma-debug: Fix overflow issue in bucket_find_contain Content-Language: en-GB To: yf.wang@mediatek.com, Christoph Hellwig , Marek Szyprowski , Matthias Brugger , "open list:DMA MAPPING HELPERS" , open list , "moderated list:ARM/Mediatek SoC support" , "moderated list:ARM/Mediatek SoC support" Cc: wsd_upstream@mediatek.com, Libo Kang , Ning Li , Yong Wu , Miles Chen , jianjiao zeng References: <20220730114146.32669-1-yf.wang@mediatek.com> From: Robin Murphy In-Reply-To: <20220730114146.32669-1-yf.wang@mediatek.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2022-07-30 12:41, yf.wang@mediatek.com wrote: > From: Yunfei Wang > > There are two issue: > 1. If max_rang is set to 0xFFFF_FFFF, and __hash_bucket_find always > returns NULL, the rang will be accumulated. When rang is accumulated > to 0xFFFF_E000, after executing rang += (1 << HASH_FN_SHIFT) again, > rang will overflow to 0, making it impossible to exit the while loop. > 2. dev_addr reduce maybe overflow. > > So, add range and dev_addr check to avoid overflow. > > Signed-off-by: jianjiao zeng > Signed-off-by: Yunfei Wang > --- > kernel/dma/debug.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c > index ad731f7858c9..9d7d54cd4c63 100644 > --- a/kernel/dma/debug.c > +++ b/kernel/dma/debug.c > @@ -352,6 +352,7 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, > > unsigned int max_range = dma_get_max_seg_size(ref->dev); > struct dma_debug_entry *entry, index = *ref; > + unsigned int shift = (1 << HASH_FN_SHIFT); > unsigned int range = 0; > > while (range <= max_range) { > @@ -360,12 +361,15 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, > if (entry) > return entry; > > + if (max_range - range < shift || index.dev_addr < shift) > + return NULL; This seems a bit clunky since the first condition here effectively makes the loop condition redundant. FWIW I found the whole "range" business here rather hard to make sense of - personally I'd calculate a lower bound for the address then just iterate down to that, but maybe that's just me :/ Otherwise, at the very least we should be capping max_range so that the loop doesn't go beyond HASH_SIZE iterations and pointlessly search the same buckets more than once - it's stupid to even *get* to the point of having to worry about that overflowing. Whether we really care about dev_addr underflow is then another matter. Really it would seem even more logical to make this a lower-level function that can walk round the dma_entry_hash array directly and not have to monkey about with the fake "index" entry at all, but cleaning up the almost-unnecessary amount of internal abstractions here is maybe more work than it's worth at this point. Robin. > + > /* > * Nothing found, go back a hash bucket > */ > put_hash_bucket(*bucket, *flags); > - range += (1 << HASH_FN_SHIFT); > - index.dev_addr -= (1 << HASH_FN_SHIFT); > + range += shift; > + index.dev_addr -= shift; > *bucket = get_hash_bucket(&index, flags); > } > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C9E01C00144 for ; Mon, 1 Aug 2022 18:49:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=dg24PdhZbS+jqlToG8hCdi1DGyj9wQi9FFH6BkWNwxM=; b=Ow2TF2g9sEmFHA hXlEUMmai+KNRHSASKoPFCnCtgPX8b4Yyw8v/py0IhHZL5ZizZ+HlGe73eRM54eQCy/AM1JPkFS7U IkTzYtRcb7LMGKFD41yq0UgIcXEXpZV37KA0WVSg7uiTx+gxSC7BL3807JO7TgHiET7QZvp9JGGBg Uynm8uh903CGFT9K37TpPRLd1tIjKqKQYPsnvjUDNYSVFYvM/R/0ZUMwoheAf5bhn2fsQIgt5BuZ0 l+ambCypsXqZKf1hD9/2hx9rFr0zBCwFx7zzCoNhS6eAb2vta2ewe2r5eAyUPGK5Kd0CihsCKnNCa JakVSBRPLeVlEpMoSRIg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oIaSY-009LqH-2Z; Mon, 01 Aug 2022 18:48:10 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oIaST-009Lfs-Cx; Mon, 01 Aug 2022 18:48:07 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CAE8F139F; Mon, 1 Aug 2022 11:48:01 -0700 (PDT) Received: from [10.57.10.23] (unknown [10.57.10.23]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1EFDF3F67D; Mon, 1 Aug 2022 11:47:58 -0700 (PDT) Message-ID: <15735fab-e53d-e95d-84f8-ae2e435dbb78@arm.com> Date: Mon, 1 Aug 2022 19:47:54 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH] dma-debug: Fix overflow issue in bucket_find_contain Content-Language: en-GB To: yf.wang@mediatek.com, Christoph Hellwig , Marek Szyprowski , Matthias Brugger , "open list:DMA MAPPING HELPERS" , open list , "moderated list:ARM/Mediatek SoC support" , "moderated list:ARM/Mediatek SoC support" Cc: wsd_upstream@mediatek.com, Libo Kang , Ning Li , Yong Wu , Miles Chen , jianjiao zeng References: <20220730114146.32669-1-yf.wang@mediatek.com> From: Robin Murphy In-Reply-To: <20220730114146.32669-1-yf.wang@mediatek.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220801_114805_609082_46693C51 X-CRM114-Status: GOOD ( 22.45 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 2022-07-30 12:41, yf.wang@mediatek.com wrote: > From: Yunfei Wang > > There are two issue: > 1. If max_rang is set to 0xFFFF_FFFF, and __hash_bucket_find always > returns NULL, the rang will be accumulated. When rang is accumulated > to 0xFFFF_E000, after executing rang += (1 << HASH_FN_SHIFT) again, > rang will overflow to 0, making it impossible to exit the while loop. > 2. dev_addr reduce maybe overflow. > > So, add range and dev_addr check to avoid overflow. > > Signed-off-by: jianjiao zeng > Signed-off-by: Yunfei Wang > --- > kernel/dma/debug.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c > index ad731f7858c9..9d7d54cd4c63 100644 > --- a/kernel/dma/debug.c > +++ b/kernel/dma/debug.c > @@ -352,6 +352,7 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, > > unsigned int max_range = dma_get_max_seg_size(ref->dev); > struct dma_debug_entry *entry, index = *ref; > + unsigned int shift = (1 << HASH_FN_SHIFT); > unsigned int range = 0; > > while (range <= max_range) { > @@ -360,12 +361,15 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, > if (entry) > return entry; > > + if (max_range - range < shift || index.dev_addr < shift) > + return NULL; This seems a bit clunky since the first condition here effectively makes the loop condition redundant. FWIW I found the whole "range" business here rather hard to make sense of - personally I'd calculate a lower bound for the address then just iterate down to that, but maybe that's just me :/ Otherwise, at the very least we should be capping max_range so that the loop doesn't go beyond HASH_SIZE iterations and pointlessly search the same buckets more than once - it's stupid to even *get* to the point of having to worry about that overflowing. Whether we really care about dev_addr underflow is then another matter. Really it would seem even more logical to make this a lower-level function that can walk round the dma_entry_hash array directly and not have to monkey about with the fake "index" entry at all, but cleaning up the almost-unnecessary amount of internal abstractions here is maybe more work than it's worth at this point. Robin. > + > /* > * Nothing found, go back a hash bucket > */ > put_hash_bucket(*bucket, *flags); > - range += (1 << HASH_FN_SHIFT); > - index.dev_addr -= (1 << HASH_FN_SHIFT); > + range += shift; > + index.dev_addr -= shift; > *bucket = get_hash_bucket(&index, flags); > } > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel