[PATCH 3.10 04/78] ALSA: memalloc.h - fix wrong truncation of dma_addr_t

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Stefano Panella <stefano.panella@citrix.com>,
	Frediano Ziglio <frediano.ziglio@citrix.com>,
	Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.10 04/78] ALSA: memalloc.h - fix wrong truncation of dma_addr_t
Date: Wed, 18 Dec 2013 13:10:32 -0800	[thread overview]
Message-ID: <20131218211112.028650310@linuxfoundation.org> (raw)
In-Reply-To: <20131218211111.903835960@linuxfoundation.org>

3.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Panella <stefano.panella@citrix.com>

commit 932e9dec380c67ec15ac3eb073bb55797d8b4801 upstream.

When running a 32bit kernel the hda_intel driver is still reporting
a 64bit dma_mask if the HW supports it.

>From sound/pci/hda/hda_intel.c:

        /* allow 64bit DMA address if supported by H/W */
        if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64)))
                pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64));
        else {
                pci_set_dma_mask(pci, DMA_BIT_MASK(32));
                pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(32));
        }

which means when there is a call to dma_alloc_coherent from
snd_malloc_dev_pages a machine address bigger than 32bit can be returned.
This can be true in particular if running  the 32bit kernel as a pv dom0
under the Xen Hypervisor or PAE on bare metal.

The problem is that when calling setup_bdle to program the BLE the
dma_addr_t returned from the dma_alloc_coherent is wrongly truncated
from snd_sgbuf_get_addr if running a 32bit kernel:

static inline dma_addr_t snd_sgbuf_get_addr(struct snd_dma_buffer *dmab,
                                           size_t offset)
{
        struct snd_sg_buf *sgbuf = dmab->private_data;
        dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr;
        addr &= PAGE_MASK;
        return addr + offset % PAGE_SIZE;
}

where PAGE_MASK in a 32bit kernel is zeroing the upper 32bit af addr.

Without this patch the HW will fetch the 32bit truncated address,
which is not the one obtained from dma_alloc_coherent and will result
to a non working audio but can corrupt host memory at a random location.

The current patch apply to v3.13-rc3-74-g6c843f5

Signed-off-by: Stefano Panella <stefano.panella@citrix.com>
Reviewed-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/sound/memalloc.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/sound/memalloc.h
+++ b/include/sound/memalloc.h
@@ -103,7 +103,7 @@ static inline dma_addr_t snd_sgbuf_get_a
 {
 	struct snd_sg_buf *sgbuf = dmab->private_data;
 	dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr;
-	addr &= PAGE_MASK;
+	addr &= ~((dma_addr_t)PAGE_SIZE - 1);
 	return addr + offset % PAGE_SIZE;
 }

WARNING: multiple messages have this Message-ID (diff)

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Stefano Panella <stefano.panella@citrix.com>,
	Frediano Ziglio <frediano.ziglio@citrix.com>,
	Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.10 04/78] ALSA: memalloc.h - fix wrong truncation of dma_addr_t
Date: Wed, 18 Dec 2013 13:10:32 -0800	[thread overview]
Message-ID: <20131218211112.028650310@linuxfoundation.org> (raw)
In-Reply-To: <20131218211111.903835960@linuxfoundation.org>

3.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Panella <stefano.panella@citrix.com>

commit 932e9dec380c67ec15ac3eb073bb55797d8b4801 upstream.

When running a 32bit kernel the hda_intel driver is still reporting
a 64bit dma_mask if the HW supports it.

>>From sound/pci/hda/hda_intel.c:

        /* allow 64bit DMA address if supported by H/W */
        if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64)))
                pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64));
        else {
                pci_set_dma_mask(pci, DMA_BIT_MASK(32));
                pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(32));
        }

which means when there is a call to dma_alloc_coherent from
snd_malloc_dev_pages a machine address bigger than 32bit can be returned.
This can be true in particular if running  the 32bit kernel as a pv dom0
under the Xen Hypervisor or PAE on bare metal.

The problem is that when calling setup_bdle to program the BLE the
dma_addr_t returned from the dma_alloc_coherent is wrongly truncated
from snd_sgbuf_get_addr if running a 32bit kernel:

static inline dma_addr_t snd_sgbuf_get_addr(struct snd_dma_buffer *dmab,
                                           size_t offset)
{
        struct snd_sg_buf *sgbuf = dmab->private_data;
        dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr;
        addr &= PAGE_MASK;
        return addr + offset % PAGE_SIZE;
}

where PAGE_MASK in a 32bit kernel is zeroing the upper 32bit af addr.

Without this patch the HW will fetch the 32bit truncated address,
which is not the one obtained from dma_alloc_coherent and will result
to a non working audio but can corrupt host memory at a random location.

The current patch apply to v3.13-rc3-74-g6c843f5

Signed-off-by: Stefano Panella <stefano.panella@citrix.com>
Reviewed-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/sound/memalloc.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/sound/memalloc.h
+++ b/include/sound/memalloc.h
@@ -103,7 +103,7 @@ static inline dma_addr_t snd_sgbuf_get_a
 {
 	struct snd_sg_buf *sgbuf = dmab->private_data;
 	dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr;
-	addr &= PAGE_MASK;
+	addr &= ~((dma_addr_t)PAGE_SIZE - 1);
 	return addr + offset % PAGE_SIZE;
 }

next prev parent reply	other threads:[~2013-12-18 22:06 UTC|newest]

Thread overview: 79+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-18 21:10 [PATCH 3.10 00/78] 3.10.25-stable review Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 01/78] MIPS: DMA: For BMIPS5000 cores flush region just like non-coherent R10000 Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 02/78] Input: xpad - add signature for Razer Onza Classic Edition Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 03/78] ALSA: compress: Fix 64bit ABI incompatibility Greg Kroah-Hartman
2013-12-18 21:10 ` Greg Kroah-Hartman [this message]
2013-12-18 21:10   ` [PATCH 3.10 04/78] ALSA: memalloc.h - fix wrong truncation of dma_addr_t Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 05/78] ALSA: hda - Add static DAC/pin mapping for AD1986A codec Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 06/78] ALSA: hda - Mute all aamix inputs as default Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 07/78] ALSA: hda - hdmi: Fix IEC958 ctl indexes for some simple HDMI devices Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 08/78] ARM: pxa: tosa: fix keys mapping Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 09/78] ARM: pxa: prevent PXA270 occasional reboot freezes Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 10/78] ARM: OMAP3: hwmod data: Dont prevent RESET of USB Host module Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 11/78] ARM: 7912/1: check stack pointer in get_wchan Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 12/78] ARM: 7913/1: fix framepointer check in unwind_frame Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 13/78] KVM: Improve create VCPU parameter (CVE-2013-4587) Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 14/78] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 15/78] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 16/78] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 17/78] hwmon: Prevent some divide by zeros in FAN_TO_REG() Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 19/78] hwmon: (w83l786ng) Fix fan speed control mode setting and reporting Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 20/78] hwmon: (w83l768ng) Fix fan speed control range Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 21/78] xfs: growfs overruns AGFL buffer on V4 filesystems Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 22/78] xfs: underflow bug in xfs_attrlist_by_handle() Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 23/78] PCI: Disable Bus Master only on kexec reboot Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 24/78] futex: fix handling of read-only-mapped hugepages Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 25/78] nfsd: when reusing an existing repcache entry, unhash it first Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 26/78] usb: hub: Use correct reset for wedged USB3 devices that are NOTATTACHED Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 27/78] usb: dwc3: fix implementation of endpoint wedge Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 28/78] usb: gadget: composite: reset delayed_status on reset_config Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 29/78] USB: serial: option: blacklist interface 1 for Huawei E173s-6 Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 30/78] USB: option: support new huawei devices Greg Kroah-Hartman
2013-12-18 21:10 ` [PATCH 3.10 31/78] Input: usbtouchscreen - separate report and transmit buffer size handling Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 32/78] media: af9035: fix broken I2C and USB I/O Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 33/78] powerpc: Fix PTE page address mismatch in pgtable ctor/dtor Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 34/78] drivers/rtc/rtc-at91rm9200.c: correct alarm over day/month wrap Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 36/78] ath9k: Fix QuickDrop usage Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 37/78] ath9k: Fix XLNA bias strength Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 38/78] selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 39/78] selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 40/78] Revert "mac80211: allow disable power save in mesh" Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 41/78] mac80211: dont attempt to reorder multicast frames Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 42/78] iwlwifi: mvm: check sta_id/drain values in debugfs Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 43/78] mwifiex: fix memory leak issue for ibss join Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 44/78] igb: Fix for issue where values could be too high for udelay function Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 45/78] drm/radeon: program DCE2 audio dto just like DCE3 Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 46/78] drm/radeon: fixup bad vram size on SI Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 47/78] x86, efi: Dont use (U)EFI time services on 32 bit Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 48/78] x86, build: Pass in additional -mno-mmx, -mno-sse options Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 49/78] x86, build, icc: Remove uninitialized_var() from compiler-intel.h Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 50/78] media: saa7164: fix return value check in saa7164_initdev() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 52/78] media: af9033: fix broken I2C Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 53/78] media: wm8775: fix broken audio routing Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 54/78] media: af9035: add [0413:6a05] Leadtek WinFast DTV Dongle Dual Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 55/78] media: af9035: unlock on error in af9035_i2c_master_xfer() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 56/78] Btrfs: fix access_ok() check in btrfs_ioctl_send() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 57/78] btrfs: call mnt_drop_write after interrupted subvol deletion Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 58/78] dm bufio: initialize read-only module parameters Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 59/78] dm snapshot: avoid snapshot space leak on crash Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 60/78] dm array: fix a reference counting bug in shadow_ablock Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 61/78] dm delay: fix a possible deadlock due to shared workqueue Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 62/78] dm space map metadata: return on failure in sm_metadata_new_block Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 63/78] dm table: fail dm_table_create on dm_round_up overflow Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 64/78] dm thin: switch to read only mode if a mapping insert fails Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 66/78] [media] cxd2820r_core: fix sparse warnings Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 67/78] sched: Avoid throttle_cfs_rq() racing with period_timer stopping Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 68/78] staging: comedi: pcmuio: fix possible NULL deref on detach Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 69/78] staging: comedi: drivers: use comedi_dio_update_state() for simple cases Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 70/78] staging: comedi: ssv_dnp: use comedi_dio_update_state() Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 71/78] sc1200_wdt: Fix oops Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 72/78] NFSv4 wait on recovery for async session errors Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 73/78] [PATCH linux-3.10.y] ip6tnl: fix use after free of fb_tnl_dev Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 74/78] Revert "net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST" Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 75/78] Btrfs: fix memory leak of chunks extent map Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 76/78] Btrfs: fix hole check in log_one_extent Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 77/78] Btrfs: fix incorrect inode acl reset Greg Kroah-Hartman
2013-12-18 21:11 ` [PATCH 3.10 78/78] Btrfs: do not run snapshot-aware defragment on error Greg Kroah-Hartman
2013-12-19  2:04 ` [PATCH 3.10 00/78] 3.10.25-stable review Guenter Roeck
2013-12-19  3:40   ` Greg Kroah-Hartman
2013-12-19 20:47 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131218211112.028650310@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=frediano.ziglio@citrix.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=stefano.panella@citrix.com \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.