swiotlb: Fix double-allocation of slots due to broken alignment handling

PlaidCat · PlaidCat · commit 3cf5abf60edf · 2024-09-12T12:23:12.000-04:00
jira LE-1907 cve CVE-2024-35814 Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10 commit-author Will Deacon <will@kernel.org> commit 04867a7 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/04867a7a.failed Commit bbb73a1 ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size(). Fixes: bbb73a1 ("swiotlb: fix a braino in the alignment check fix") Fixes: 0eee5ae ("swiotlb: fix slot alignment checks") Signed-off-by: Will Deacon <will@kernel.org> Reviewed-by: Michael Kelley <mhklinux@outlook.com> Reviewed-by: Petr Tesarik <petr.tesarik1@huawei-partners.com> Tested-by: Nicolin Chen <nicolinc@nvidia.com> Tested-by: Michael Kelley <mhklinux@outlook.com> Signed-off-by: Christoph Hellwig <hch@lst.de> (cherry picked from commit 04867a7) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # kernel/dma/swiotlb.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/04867a7a.failed b/ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/04867a7a.failed
@@ -0,0 +1,215 @@
+swiotlb: Fix double-allocation of slots due to broken alignment handling
+
+jira LE-1907
+cve CVE-2024-35814
+Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10
+commit-author Will Deacon <will@kernel.org>
+commit 04867a7a33324c9c562ee7949dbcaab7aaad1fb4
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/04867a7a.failed
+
+Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"),
+which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment
+checks"), causes a functional regression with vsock in a virtual machine
+using bouncing via a restricted DMA SWIOTLB pool.
+
+When virtio allocates the virtqueues for the vsock device using
+dma_alloc_coherent(), the SWIOTLB search can return page-unaligned
+allocations if 'area->index' was left unaligned by a previous allocation
+from the buffer:
+
+ # Final address in brackets is the SWIOTLB address returned to the caller
+ | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800)
+ | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800)
+ | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)
+
+This ends badly (typically buffer corruption and/or a hang) because
+swiotlb_alloc() is expecting a page-aligned allocation and so blindly
+returns a pointer to the 'struct page' corresponding to the allocation,
+therefore double-allocating the first half (2KiB slot) of the 4KiB page.
+
+Fix the problem by treating the allocation alignment separately to any
+additional alignment requirements from the device, using the maximum
+of the two as the stride to search the buffer slots and taking care
+to ensure a minimum of page-alignment for buffers larger than a page.
+
+This also resolves swiotlb allocation failures occuring due to the
+inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and
+resulting in alignment requirements exceeding swiotlb_max_mapping_size().
+
+Fixes: bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix")
+Fixes: 0eee5ae10256 ("swiotlb: fix slot alignment checks")
+	Signed-off-by: Will Deacon <will@kernel.org>
+	Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+	Reviewed-by: Petr Tesarik <petr.tesarik1@huawei-partners.com>
+	Tested-by: Nicolin Chen <nicolinc@nvidia.com>
+	Tested-by: Michael Kelley <mhklinux@outlook.com>
+	Signed-off-by: Christoph Hellwig <hch@lst.de>
+(cherry picked from commit 04867a7a33324c9c562ee7949dbcaab7aaad1fb4)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	kernel/dma/swiotlb.c
+diff --cc kernel/dma/swiotlb.c
+index c0e227dcb45e,980a7ec70418..000000000000
+--- a/kernel/dma/swiotlb.c
++++ b/kernel/dma/swiotlb.c
+@@@ -588,21 -923,88 +588,21 @@@ static unsigned int wrap_area_index(str
+  }
+  
+  /*
+ - * Track the total used slots with a global atomic value in order to have
+ - * correct information to determine the high water mark. The mem_used()
+ - * function gives imprecise results because there's no locking across
+ - * multiple areas.
+ - */
+ -#ifdef CONFIG_DEBUG_FS
+ -static void inc_used_and_hiwater(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -	unsigned long old_hiwater, new_used;
+ -
+ -	new_used = atomic_long_add_return(nslots, &mem->total_used);
+ -	old_hiwater = atomic_long_read(&mem->used_hiwater);
+ -	do {
+ -		if (new_used <= old_hiwater)
+ -			break;
+ -	} while (!atomic_long_try_cmpxchg(&mem->used_hiwater,
+ -					  &old_hiwater, new_used));
+ -}
+ -
+ -static void dec_used(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -	atomic_long_sub(nslots, &mem->total_used);
+ -}
+ -
+ -#else /* !CONFIG_DEBUG_FS */
+ -static void inc_used_and_hiwater(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -}
+ -static void dec_used(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -}
+ -#endif /* CONFIG_DEBUG_FS */
+ -
+ -#ifdef CONFIG_SWIOTLB_DYNAMIC
+ -#ifdef CONFIG_DEBUG_FS
+ -static void inc_transient_used(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -	atomic_long_add(nslots, &mem->transient_nslabs);
+ -}
+ -
+ -static void dec_transient_used(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -	atomic_long_sub(nslots, &mem->transient_nslabs);
+ -}
+ -
+ -#else /* !CONFIG_DEBUG_FS */
+ -static void inc_transient_used(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -}
+ -static void dec_transient_used(struct io_tlb_mem *mem, unsigned int nslots)
+ -{
+ -}
+ -#endif /* CONFIG_DEBUG_FS */
+ -#endif /* CONFIG_SWIOTLB_DYNAMIC */
+ -
+ -/**
+ - * swiotlb_search_pool_area() - search one memory area in one pool
+ - * @dev:	Device which maps the buffer.
+ - * @pool:	Memory pool to be searched.
+ - * @area_index:	Index of the IO TLB memory area to be searched.
+ - * @orig_addr:	Original (non-bounced) IO buffer address.
+ - * @alloc_size: Total requested size of the bounce buffer,
+ - *		including initial alignment padding.
+ - * @alloc_align_mask:	Required alignment of the allocated buffer.
+ - *
+ - * Find a suitable sequence of IO TLB entries for the request and allocate
+ - * a buffer from the given IO TLB memory area.
+ - * This function takes care of locking.
+ - *
+ - * Return: Index of the first allocated slot, or -1 on error.
+ + * Find a suitable number of IO TLB entries size that will fit this request and
+ + * allocate a buffer from that IO TLB pool.
+   */
+ -static int swiotlb_search_pool_area(struct device *dev, struct io_tlb_pool *pool,
+ -		int area_index, phys_addr_t orig_addr, size_t alloc_size,
+ +static int swiotlb_do_find_slots(struct device *dev, int area_index,
+ +		phys_addr_t orig_addr, size_t alloc_size,
+  		unsigned int alloc_align_mask)
+  {
+ -	struct io_tlb_area *area = pool->areas + area_index;
+ +	struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
+ +	struct io_tlb_area *area = mem->areas + area_index;
+  	unsigned long boundary_mask = dma_get_seg_boundary(dev);
+  	dma_addr_t tbl_dma_addr =
+ -		phys_to_dma_unencrypted(dev, pool->start) & boundary_mask;
+ +		phys_to_dma_unencrypted(dev, mem->start) & boundary_mask;
+  	unsigned long max_slots = get_max_slots(boundary_mask);
+  	unsigned int iotlb_align_mask =
+- 		dma_get_min_align_mask(dev) | alloc_align_mask;
++ 		dma_get_min_align_mask(dev) & ~(IO_TLB_SIZE - 1);
+  	unsigned int nslots = nr_slots(alloc_size), stride;
+  	unsigned int offset = swiotlb_align_offset(dev, orig_addr);
+  	unsigned int index, slots_checked, count = 0, i;
+@@@ -611,36 -1013,38 +611,48 @@@
+  	unsigned int slot_index;
+  
+  	BUG_ON(!nslots);
+ -	BUG_ON(area_index >= pool->nareas);
+ +	BUG_ON(area_index >= mem->nareas);
+  
+  	/*
+- 	 * For allocations of PAGE_SIZE or larger only look for page aligned
+- 	 * allocations.
++ 	 * For mappings with an alignment requirement don't bother looping to
++ 	 * unaligned slots once we found an aligned one.
+  	 */
+- 	if (alloc_size >= PAGE_SIZE)
+- 		iotlb_align_mask |= ~PAGE_MASK;
+- 	iotlb_align_mask &= ~(IO_TLB_SIZE - 1);
++ 	stride = get_max_slots(max(alloc_align_mask, iotlb_align_mask));
+  
+  	/*
+- 	 * For mappings with an alignment requirement don't bother looping to
+- 	 * unaligned slots once we found an aligned one.
++ 	 * For allocations of PAGE_SIZE or larger only look for page aligned
++ 	 * allocations.
+  	 */
+- 	stride = (iotlb_align_mask >> IO_TLB_SHIFT) + 1;
++ 	if (alloc_size >= PAGE_SIZE)
++ 		stride = umax(stride, PAGE_SHIFT - IO_TLB_SHIFT + 1);
+  
+  	spin_lock_irqsave(&area->lock, flags);
+ -	if (unlikely(nslots > pool->area_nslabs - area->used))
+ +	if (unlikely(nslots > mem->area_nslabs - area->used))
+  		goto not_found;
+  
+ -	slot_base = area_index * pool->area_nslabs;
+ +	slot_base = area_index * mem->area_nslabs;
+  	index = area->index;
+  
+++<<<<<<< HEAD
+ +	for (slots_checked = 0; slots_checked < mem->area_nslabs; ) {
+ +		slot_index = slot_base + index;
+ +
+ +		if (orig_addr &&
+ +		    (slot_addr(tbl_dma_addr, slot_index) &
+ +		     iotlb_align_mask) != (orig_addr & iotlb_align_mask)) {
+ +			index = wrap_area_index(mem, index + 1);
+++=======
++ 	for (slots_checked = 0; slots_checked < pool->area_nslabs; ) {
++ 		phys_addr_t tlb_addr;
++ 
++ 		slot_index = slot_base + index;
++ 		tlb_addr = slot_addr(tbl_dma_addr, slot_index);
++ 
++ 		if ((tlb_addr & alloc_align_mask) ||
++ 		    (orig_addr && (tlb_addr & iotlb_align_mask) !=
++ 				  (orig_addr & iotlb_align_mask))) {
++ 			index = wrap_area_index(pool, index + 1);
+++>>>>>>> 04867a7a3332 (swiotlb: Fix double-allocation of slots due to broken alignment handling)
+  			slots_checked++;
+  			continue;
+  		}
+* Unmerged path kernel/dma/swiotlb.c
