From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>, JBeulich@suse.com
Cc: xen-devel@lists.xen.org
Subject: Re: [PATCH 1/1] amd/iommu: Fix infinite loop when handling IO_PAGE_FAULT event
Date: Sun, 29 Dec 2013 22:51:30 +0700 [thread overview]
Message-ID: <52C04502.8000304@amd.com> (raw)
In-Reply-To: <52C04EC0.4010406@citrix.com>
On 12/29/2013 11:33 PM, Andrew Cooper wrote:
> On 29/12/2013 09:35, suravee.suthikulpanit@amd.com wrote:
>> From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
>>
>> Certain AMD systems could have upto 0x1000 ivrs_bdf_entries.
>> However, the loop variable (bdf) is declared as u16 which causes
>> inifinite loop when parsing IOMMU event log with IO_PAGE_FAULT event.
>> This patch changes the variable to u32 instead.
>
> Do you perhaps mean that there could be 0x10000 ivrs_bdf_entries?
> Otherwise I cant see how an infinite loop is possible.
Ah Yes, This is actually 0x10000. Sorry for the typo.
> On the other hand, assuming that the infinite loop is possible, it is
> also vulnerable in register_exclusion_range_for_{all,iommu}_devices(),
> which also have similar for loops with a u16 bdf.
Thanks for catching the rest here. I'll clean them up also and send out V2.
> Even if you do promote to a u32, the get_dma_requestor_id() call now
> truncates a u32 to a u16, so can now return the wrong device.
Actually, bdf should only be 16 bits. However, I think we just need to
resolve the looping logic. The truncation should not cause issue here.
>
> Beyond that, there is already quite a mix of u32, int and u16's for
> various bdf values across the this area of the code, with plenty of
> truncation issues at a glance.
>
> ~Andrew
>
I'll try to go through them and clean up in V2.
Suravee
prev parent reply other threads:[~2013-12-29 15:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-29 9:35 [PATCH 1/1] amd/iommu: Fix infinite loop when handling IO_PAGE_FAULT event suravee.suthikulpanit
2013-12-29 16:33 ` Andrew Cooper
2013-12-29 15:51 ` Suravee Suthikulpanit [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52C04502.8000304@amd.com \
--to=suravee.suthikulpanit@amd.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.