Re: [PATCH] iommu/dma: Handle SG length overflow better

From: Nicolin Chen <nicoleotsuka@gmail.com>
To: Robin Murphy <robin.murphy@arm.com>
Cc: iommu@lists.linux-foundation.org
Subject: Re: [PATCH] iommu/dma: Handle SG length overflow better
Date: Tue, 6 Aug 2019 18:11:51 -0700	[thread overview]
Message-ID: <20190807011150.GA8938@Asurada-Nvidia.nvidia.com> (raw)
In-Reply-To: <166ef834-c10e-5f94-ee89-6a0caedf323d@arm.com>

Hi Robin,

On Tue, Aug 06, 2019 at 04:49:01PM +0100, Robin Murphy wrote:
> Hi Joerg,
> 
> On 06/08/2019 16:25, Joerg Roedel wrote:
> > Hi Robin,
> > 
> > On Mon, Jul 29, 2019 at 05:46:00PM +0100, Robin Murphy wrote:
> > > Since scatterlist dimensions are all unsigned ints, in the relatively
> > > rare cases where a device's max_segment_size is set to UINT_MAX, then
> > > the "cur_len + s_length <= max_len" check in __finalise_sg() will always
> > > return true. As a result, the corner case of such a device mapping an
> > > excessively large scatterlist which is mergeable to or beyond a total
> > > length of 4GB can lead to overflow and a bogus truncated dma_length in
> > > the resulting segment.
> > > 
> > > As we already assume that any single segment must be no longer than
> > > max_len to begin with, this can easily be addressed by reshuffling the
> > > comparison.
> > 
> > Has this been triggered in the wild of can this patch wait for the next
> > merge window?
> 
> My impression was that it's possible to hit this via relatively funky, but
> legitimate, use of dma-buf from userspace, however I don't know off-hand how
> many drivers actually support creating and exporting such crazy-large
> buffers in the first place.
>
> Nicolin - is your use-case something that's easy to do with standard
> software on stable kernels, or did it only come to light as part of a "big
> stack of embedded magic" type thing?

Well..it was triggered in our downstream test that's supposed to
cover large size (> 4G) corner case, so I don't feel it's "easy"
but our test case was running with 4.14 kernel so I also feel it
might be a good idea to Cc stable kernel even if we postpone the
patch during the merge window. I'll personally be fine with any
decision though -- if no one else cares that much, I'll backport
to our downstream 4.14 on my own.

As a reference, here is a partial list of mainline drivers that
were potentially affected, and are now secured by this change:
      drivers/dma/dw-edma/dw-edma-core.c:745:
        dma_set_max_seg_size(dma->dev, U32_MAX);
      drivers/dma/dma-axi-dmac.c:871:
        dma_set_max_seg_size(&pdev->dev, UINT_MAX);
      drivers/mmc/host/renesas_sdhi_internal_dmac.c:338:
        dma_set_max_seg_size(dev, 0xffffffff);
      drivers/nvme/host/pci.c:2520:
        dma_set_max_seg_size(dev->dev, 0xffffffff);

Above all, thanks for the fix.

Nicolin
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu