From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Alexander Duyck <alexander.h.duyck@linux.intel.com>,
Stanislaw Gruszka <sgruszka@redhat.com>,
Joerg Roedel <jroedel@suse.de>,
Jan Viktorin <jan.viktorin@gmail.com>
Subject: [PATCH 4.9 03/30] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE
Date: Tue, 26 Mar 2019 15:29:42 +0900 [thread overview]
Message-ID: <20190326042607.692688142@linuxfoundation.org> (raw)
In-Reply-To: <20190326042607.558087893@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 4e50ce03976fbc8ae995a000c4b10c737467beaa upstream.
Take into account that sg->offset can be bigger than PAGE_SIZE when
setting segment sg->dma_address. Otherwise sg->dma_address will point
at diffrent page, what makes DMA not possible with erros like this:
xhci_hcd 0000:38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0000 address=0x00000000fdaa70c0 flags=0x0020]
xhci_hcd 0000:38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0000 address=0x00000000fdaa7040 flags=0x0020]
xhci_hcd 0000:38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0000 address=0x00000000fdaa7080 flags=0x0020]
xhci_hcd 0000:38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0000 address=0x00000000fdaa7100 flags=0x0020]
xhci_hcd 0000:38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0000 address=0x00000000fdaa7000 flags=0x0020]
Additinally with wrong sg->dma_address unmap_sg will free wrong pages,
what what can cause crashes like this:
Feb 28 19:27:45 kernel: BUG: Bad page state in process cinnamon pfn:39e8b1
Feb 28 19:27:45 kernel: Disabling lock debugging due to kernel taint
Feb 28 19:27:45 kernel: flags: 0x2ffff0000000000()
Feb 28 19:27:45 kernel: raw: 02ffff0000000000 0000000000000000 ffffffff00000301 0000000000000000
Feb 28 19:27:45 kernel: raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
Feb 28 19:27:45 kernel: page dumped because: nonzero _refcount
Feb 28 19:27:45 kernel: Modules linked in: ccm fuse arc4 nct6775 hwmon_vid amdgpu nls_iso8859_1 nls_cp437 edac_mce_amd vfat fat kvm_amd ccp rng_core kvm mt76x0u mt76x0_common mt76x02_usb irqbypass mt76_usb mt76x02_lib mt76 crct10dif_pclmul crc32_pclmul chash mac80211 amd_iommu_v2 ghash_clmulni_intel gpu_sched i2c_algo_bit ttm wmi_bmof snd_hda_codec_realtek snd_hda_codec_generic drm_kms_helper snd_hda_codec_hdmi snd_hda_intel drm snd_hda_codec aesni_intel snd_hda_core snd_hwdep aes_x86_64 crypto_simd snd_pcm cfg80211 cryptd mousedev snd_timer glue_helper pcspkr r8169 input_leds realtek agpgart libphy rfkill snd syscopyarea sysfillrect sysimgblt fb_sys_fops soundcore sp5100_tco k10temp i2c_piix4 wmi evdev gpio_amdpt pinctrl_amd mac_hid pcc_cpufreq acpi_cpufreq sg ip_tables x_tables ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) fscrypto(E) sd_mod(E) hid_generic(E) usbhid(E) hid(E) dm_mod(E) serio_raw(E) atkbd(E) libps2(E) crc32c_intel(E) ahci(E) libahci(E) libata(E) xhci_pci(E) xhci_hcd(E)
Feb 28 19:27:45 kernel: scsi_mod(E) i8042(E) serio(E) bcache(E) crc64(E)
Feb 28 19:27:45 kernel: CPU: 2 PID: 896 Comm: cinnamon Tainted: G B W E 4.20.12-arch1-1-custom #1
Feb 28 19:27:45 kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./B450M Pro4, BIOS P1.20 06/26/2018
Feb 28 19:27:45 kernel: Call Trace:
Feb 28 19:27:45 kernel: dump_stack+0x5c/0x80
Feb 28 19:27:45 kernel: bad_page.cold.29+0x7f/0xb2
Feb 28 19:27:45 kernel: __free_pages_ok+0x2c0/0x2d0
Feb 28 19:27:45 kernel: skb_release_data+0x96/0x180
Feb 28 19:27:45 kernel: __kfree_skb+0xe/0x20
Feb 28 19:27:45 kernel: tcp_recvmsg+0x894/0xc60
Feb 28 19:27:45 kernel: ? reuse_swap_page+0x120/0x340
Feb 28 19:27:45 kernel: ? ptep_set_access_flags+0x23/0x30
Feb 28 19:27:45 kernel: inet_recvmsg+0x5b/0x100
Feb 28 19:27:45 kernel: __sys_recvfrom+0xc3/0x180
Feb 28 19:27:45 kernel: ? handle_mm_fault+0x10a/0x250
Feb 28 19:27:45 kernel: ? syscall_trace_enter+0x1d3/0x2d0
Feb 28 19:27:45 kernel: ? __audit_syscall_exit+0x22a/0x290
Feb 28 19:27:45 kernel: __x64_sys_recvfrom+0x24/0x30
Feb 28 19:27:45 kernel: do_syscall_64+0x5b/0x170
Feb 28 19:27:45 kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Cc: stable@vger.kernel.org
Reported-and-tested-by: Jan Viktorin <jan.viktorin@gmail.com>
Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Fixes: 80187fd39dcb ('iommu/amd: Optimize map_sg and unmap_sg')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd_iommu.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2599,7 +2599,12 @@ static int map_sg(struct device *dev, st
/* Everything is mapped - write the right values into s->dma_address */
for_each_sg(sglist, s, nelems, i) {
- s->dma_address += address + s->offset;
+ /*
+ * Add in the remaining piece of the scatter-gather offset that
+ * was masked out when we were determining the physical address
+ * via (sg_phys(s) & PAGE_MASK) earlier.
+ */
+ s->dma_address += address + (s->offset & ~PAGE_MASK);
s->dma_length = s->length;
}
next prev parent reply other threads:[~2019-03-26 6:31 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 6:29 [PATCH 4.9 00/30] 4.9.166-stable review Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 01/30] mmc: pxamci: fix enum type confusion Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 02/30] drm/vmwgfx: Dont double-free the mode stored in par->set_mode Greg Kroah-Hartman
2019-03-26 6:29 ` Greg Kroah-Hartman [this message]
2019-03-26 6:29 ` [PATCH 4.9 04/30] libceph: wait for latest osdmap in ceph_monc_blacklist_add() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 05/30] udf: Fix crash on IO error during truncate Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 06/30] mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 07/30] MIPS: Ensure ELF appended dtb is relocated Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 08/30] MIPS: Fix kernel crash for R6 in jump label branch function Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 09/30] futex: Ensure that futex address is aligned in handle_futex_death() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 10/30] objtool: Move objtool_file struct off the stack Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 11/30] ext4: fix NULL pointer dereference while journal is aborted Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 12/30] ext4: fix data corruption caused by unaligned direct AIO Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 13/30] ext4: brelse all indirect buffer in ext4_ind_remove_space() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 14/30] media: v4l2-ctrls.c/uvc: zero v4l2_event Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 15/30] Bluetooth: Fix decrementing reference count twice in releasing socket Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 16/30] locking/lockdep: Add debug_locks check in __lock_downgrade() Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 17/30] ALSA: hda - Record the current power state before suspend/resume calls Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 18/30] ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 19/30] tcp/dccp: drop SYN packets if accept queue is full Greg Kroah-Hartman
2019-03-26 6:29 ` [PATCH 4.9 20/30] serial: sprd: adjust TIMEOUT to a big value Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 21/30] Hang/soft lockup in d_invalidate with simultaneous calls Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 22/30] arm64: traps: disable irq in die() Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 23/30] serial: sprd: clear timeout interrupt only rather than all interrupts Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 24/30] lib/int_sqrt: optimize small argument Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 25/30] USB: core: only clean up what we allocated Greg Kroah-Hartman
2019-03-30 17:18 ` Nathan Chancellor
2019-04-01 11:46 ` Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 26/30] scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 27/30] rtc: Fix overflow when converting time64_t to rtc_time Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 28/30] pwm-backlight: Enable/disable the PWM before/after LCD enable toggle Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 29/30] power: supply: charger-manager: Fix incorrect return value Greg Kroah-Hartman
2019-03-26 6:30 ` [PATCH 4.9 30/30] ath10k: avoid possible string overflow Greg Kroah-Hartman
2019-03-26 11:41 ` [PATCH 4.9 00/30] 4.9.166-stable review Naresh Kamboju
2019-03-26 12:03 ` kernelci.org bot
2019-03-26 15:18 ` Jon Hunter
2019-03-26 17:48 ` Guenter Roeck
2019-03-26 23:16 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190326042607.692688142@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.h.duyck@linux.intel.com \
--cc=jan.viktorin@gmail.com \
--cc=jroedel@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=sgruszka@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).