From: Lu Baolu <baolu.lu-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
To: changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org,
jroedel-l3A5Bk7waGM@public.gmane.org,
iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [RESEND][PATCH] iommu/vt-d: fix shift-out-of-bounds in bug checking
Date: Thu, 3 May 2018 07:56:27 +0800 [thread overview]
Message-ID: <5AEA502B.70502@linux.intel.com> (raw)
In-Reply-To: <1524897587-15125-1-git-send-email-changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Hi,
On 04/28/2018 02:39 PM, changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org wrote:
> From: Changbin Du <changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
>
> It allows to flush more than 4GB of device TLBs. So the mask should be
> 64bit wide. UBSAN captured this fault as below.
>
> [ 3.760024] ================================================================================
> [ 3.768440] UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3
> [ 3.774864] shift exponent 64 is too large for 32-bit type 'int'
> [ 3.780853] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G U 4.17.0-rc1+ #89
> [ 3.788661] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
> [ 3.796034] Call Trace:
> [ 3.798472] <IRQ>
> [ 3.800479] dump_stack+0x90/0xfb
> [ 3.803787] ubsan_epilogue+0x9/0x40
> [ 3.807353] __ubsan_handle_shift_out_of_bounds+0x10e/0x170
> [ 3.812916] ? qi_flush_dev_iotlb+0x124/0x180
> [ 3.817261] qi_flush_dev_iotlb+0x124/0x180
> [ 3.821437] iommu_flush_dev_iotlb+0x94/0xf0
> [ 3.825698] iommu_flush_iova+0x10b/0x1c0
> [ 3.829699] ? fq_ring_free+0x1d0/0x1d0
> [ 3.833527] iova_domain_flush+0x25/0x40
> [ 3.837448] fq_flush_timeout+0x55/0x160
> [ 3.841368] ? fq_ring_free+0x1d0/0x1d0
> [ 3.845200] ? fq_ring_free+0x1d0/0x1d0
> [ 3.849034] call_timer_fn+0xbe/0x310
> [ 3.852696] ? fq_ring_free+0x1d0/0x1d0
> [ 3.856530] run_timer_softirq+0x223/0x6e0
> [ 3.860625] ? sched_clock+0x5/0x10
> [ 3.864108] ? sched_clock+0x5/0x10
> [ 3.867594] __do_softirq+0x1b5/0x6f5
> [ 3.871250] irq_exit+0xd4/0x130
> [ 3.874470] smp_apic_timer_interrupt+0xb8/0x2f0
> [ 3.879075] apic_timer_interrupt+0xf/0x20
> [ 3.883159] </IRQ>
> [ 3.885255] RIP: 0010:poll_idle+0x60/0xe7
> [ 3.889252] RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> [ 3.896802] RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f
> [ 3.903918] RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000
> [ 3.911031] RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205
> [ 3.918146] R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d
> [ 3.925260] R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000
> [ 3.932382] cpuidle_enter_state+0xb4/0x470
> [ 3.936558] do_idle+0x222/0x310
> [ 3.939779] cpu_startup_entry+0x78/0x90
> [ 3.943693] start_secondary+0x205/0x2e0
> [ 3.947607] secondary_startup_64+0xa5/0xb0
> [ 3.951783] ================================================================================
This looks good to me.
Best regards,
Lu Baolu
> Signed-off-by: Changbin Du <changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> ---
> drivers/iommu/dmar.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
> index accf5838..e4ae600 100644
> --- a/drivers/iommu/dmar.c
> +++ b/drivers/iommu/dmar.c
> @@ -1345,7 +1345,7 @@ void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
> struct qi_desc desc;
>
> if (mask) {
> - BUG_ON(addr & ((1 << (VTD_PAGE_SHIFT + mask)) - 1));
> + BUG_ON(addr & ((1ULL << (VTD_PAGE_SHIFT + mask)) - 1));
> addr |= (1ULL << (VTD_PAGE_SHIFT + mask - 1)) - 1;
> desc.high = QI_DEV_IOTLB_ADDR(addr) | QI_DEV_IOTLB_SIZE;
> } else
WARNING: multiple messages have this Message-ID (diff)
From: Lu Baolu <baolu.lu@linux.intel.com>
To: changbin.du@intel.com, jroedel@suse.de, iommu@lists.linux-foundation.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: [RESEND][PATCH] iommu/vt-d: fix shift-out-of-bounds in bug checking
Date: Thu, 3 May 2018 07:56:27 +0800 [thread overview]
Message-ID: <5AEA502B.70502@linux.intel.com> (raw)
In-Reply-To: <1524897587-15125-1-git-send-email-changbin.du@intel.com>
Hi,
On 04/28/2018 02:39 PM, changbin.du@intel.com wrote:
> From: Changbin Du <changbin.du@intel.com>
>
> It allows to flush more than 4GB of device TLBs. So the mask should be
> 64bit wide. UBSAN captured this fault as below.
>
> [ 3.760024] ================================================================================
> [ 3.768440] UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3
> [ 3.774864] shift exponent 64 is too large for 32-bit type 'int'
> [ 3.780853] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G U 4.17.0-rc1+ #89
> [ 3.788661] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
> [ 3.796034] Call Trace:
> [ 3.798472] <IRQ>
> [ 3.800479] dump_stack+0x90/0xfb
> [ 3.803787] ubsan_epilogue+0x9/0x40
> [ 3.807353] __ubsan_handle_shift_out_of_bounds+0x10e/0x170
> [ 3.812916] ? qi_flush_dev_iotlb+0x124/0x180
> [ 3.817261] qi_flush_dev_iotlb+0x124/0x180
> [ 3.821437] iommu_flush_dev_iotlb+0x94/0xf0
> [ 3.825698] iommu_flush_iova+0x10b/0x1c0
> [ 3.829699] ? fq_ring_free+0x1d0/0x1d0
> [ 3.833527] iova_domain_flush+0x25/0x40
> [ 3.837448] fq_flush_timeout+0x55/0x160
> [ 3.841368] ? fq_ring_free+0x1d0/0x1d0
> [ 3.845200] ? fq_ring_free+0x1d0/0x1d0
> [ 3.849034] call_timer_fn+0xbe/0x310
> [ 3.852696] ? fq_ring_free+0x1d0/0x1d0
> [ 3.856530] run_timer_softirq+0x223/0x6e0
> [ 3.860625] ? sched_clock+0x5/0x10
> [ 3.864108] ? sched_clock+0x5/0x10
> [ 3.867594] __do_softirq+0x1b5/0x6f5
> [ 3.871250] irq_exit+0xd4/0x130
> [ 3.874470] smp_apic_timer_interrupt+0xb8/0x2f0
> [ 3.879075] apic_timer_interrupt+0xf/0x20
> [ 3.883159] </IRQ>
> [ 3.885255] RIP: 0010:poll_idle+0x60/0xe7
> [ 3.889252] RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
> [ 3.896802] RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f
> [ 3.903918] RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000
> [ 3.911031] RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205
> [ 3.918146] R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d
> [ 3.925260] R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000
> [ 3.932382] cpuidle_enter_state+0xb4/0x470
> [ 3.936558] do_idle+0x222/0x310
> [ 3.939779] cpu_startup_entry+0x78/0x90
> [ 3.943693] start_secondary+0x205/0x2e0
> [ 3.947607] secondary_startup_64+0xa5/0xb0
> [ 3.951783] ================================================================================
This looks good to me.
Best regards,
Lu Baolu
> Signed-off-by: Changbin Du <changbin.du@intel.com>
> ---
> drivers/iommu/dmar.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
> index accf5838..e4ae600 100644
> --- a/drivers/iommu/dmar.c
> +++ b/drivers/iommu/dmar.c
> @@ -1345,7 +1345,7 @@ void qi_flush_dev_iotlb(struct intel_iommu *iommu, u16 sid, u16 qdep,
> struct qi_desc desc;
>
> if (mask) {
> - BUG_ON(addr & ((1 << (VTD_PAGE_SHIFT + mask)) - 1));
> + BUG_ON(addr & ((1ULL << (VTD_PAGE_SHIFT + mask)) - 1));
> addr |= (1ULL << (VTD_PAGE_SHIFT + mask - 1)) - 1;
> desc.high = QI_DEV_IOTLB_ADDR(addr) | QI_DEV_IOTLB_SIZE;
> } else
next prev parent reply other threads:[~2018-05-02 23:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-28 6:39 [RESEND][PATCH] iommu/vt-d: fix shift-out-of-bounds in bug checking changbin.du-ral2JQCrhuEAvxtiuMwx3w
2018-04-28 6:39 ` changbin.du
[not found] ` <1524897587-15125-1-git-send-email-changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-05-02 23:56 ` Lu Baolu [this message]
2018-05-02 23:56 ` Lu Baolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5AEA502B.70502@linux.intel.com \
--to=baolu.lu-vuqaysv1563yd54fqh9/ca@public.gmane.org \
--cc=changbin.du-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=iommu-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=jroedel-l3A5Bk7waGM@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.