From nobody Tue Dec 20 19:32:04 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nc6Cg18Lbz1Gm08 for ; Tue, 20 Dec 2022 19:32:15 +0000 (UTC) (envelope-from bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz) Received: from e2i580.smtp2go.com (e2i580.smtp2go.com [103.2.142.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nc6Cd03XGz47GG for ; Tue, 20 Dec 2022 19:32:12 +0000 (UTC) (envelope-from bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz) Authentication-Results: mx1.freebsd.org; dkim=none ("invalid DKIM record") header.d=smtpservice.net header.s=mgy720.a1-4.dyn header.b=Z+0PVLhw; dkim=pass header.d=fubar.geek.nz header.s=s790814 header.b=ii0fT9pV; spf=pass (mx1.freebsd.org: domain of "bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz" designates 103.2.142.68 as permitted sender) smtp.mailfrom="bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz"; dmarc=pass (policy=none) header.from=fubar.geek.nz DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smtpservice.net; s=mgy720.a1-4.dyn; x=1671565632; h=Feedback-ID: X-Smtpcorp-Track:To:Date:Subject:Message-Id:From:Reply-To:Sender: List-Unsubscribe; bh=y8xdsaWob1tDI0wK7PH8jb8+oSGUpoavT06FuVBGjFY=; b=Z+0PVLhw q8PWWzwULqDWZqse7SLdYyrQ2HbrvsFXNG2qqtTrlii4eCT44b2GRI1vGr13UFy5VCieC9+P63JlG +rwX9wCo7r6BgPCa3RDqqOW5xXmdpQBIblnaYswMWuzQZ4A7wK4ER2+zUKynlXUBoEv6VK6Gm+H1I r7EhY3EjZFSiQwMippJaeuSSZqEHBICXRBq0rfmuEyHHe5q4lA9V5t7++ccZT76RFTITa0b6IT7kv lChtAq//pqje9jY7gdGHPm2GAZLrmmbuETGOV8PnpOMU/o++QU7JObXQgLW9nuYmWCUuVjjE0jB6w VTB8jVLKkqK2ZIHd1jHqBXV8Vw==; DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fubar.geek.nz; i=@fubar.geek.nz; q=dns/txt; s=s790814; t=1671564732; h=from : subject : to : message-id : date; bh=y8xdsaWob1tDI0wK7PH8jb8+oSGUpoavT06FuVBGjFY=; b=ii0fT9pVyPT6HwvPeRDA1WzgN8fhU5ktH07OV1gH85Bg7XBSK3m2qDC07wSHr8fGXfgmK H1kCaKA7MllDYUePBI9IQLgNiL0gaLuh4uebAZYt3SeRD8ITPPWIAR95KNqfpQytdTuTxoX 48sYCljzgnjL9aWIBwkHw0TTzusL6SroLRxqVDqpaitGJpxo9B3vYfHxvFLU6smF3E8iIV6 AajuxnHoJRnpw7exNkfNp7buI48f9UWliwuZO9mlvrqaszAlnZ8D0ooamXHgp5b+ogRPrhu BOo3/Emjeax4g1WtkVFP77QsoK1hOr6fY7H3fxoppZVM5FS3IOwA50C1+CQg== Received: from [10.176.58.103] (helo=SmtpCorp) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2-S2G) (envelope-from ) id 1p7iLR-qt4Dhi-Eu; Tue, 20 Dec 2022 19:32:09 +0000 Received: from [10.162.55.164] (helo=morbo.fubar.geek.nz) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96-S2G) (envelope-from ) id 1p7iLR-9EWeYk-0l; Tue, 20 Dec 2022 19:32:09 +0000 Received: from smtpclient.apple (cpc91214-cmbg18-2-0-cust234.5-4.cable.virginm.net [81.102.75.235]) by morbo.fubar.geek.nz (Postfix) with ESMTPSA id B84B322DE1; Tue, 20 Dec 2022 19:32:05 +0000 (UTC) From: Andrew Turner Message-Id: <5325DB40-8B13-4B12-8C0E-86352003132E@fubar.geek.nz> Content-Type: multipart/alternative; boundary="Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83" List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\)) Subject: Re: git: e0e8d0c8d694 - main - iommu_gas: consolidate find_space helpers Date: Tue, 20 Dec 2022 19:32:04 +0000 In-Reply-To: <202207101939.26AJdeGp023355@gitrepo.freebsd.org> Cc: "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" To: Doug Moore References: <202207101939.26AJdeGp023355@gitrepo.freebsd.org> X-Mailer: Apple Mail (2.3696.120.41.1.1) X-Smtpcorp-Track: 1p7iLR9EW-Yk0_.ot24rhynx93DY Feedback-ID: 790814m:790814amQcrys:790814sC4XnTZ_oM X-Report-Abuse: Please forward a copy of this message, including all headers, to X-Spamd-Result: default: False [-3.88 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.980]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[fubar.geek.nz,none]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; FORGED_SENDER(0.30)[andrew@fubar.geek.nz,bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz]; RCVD_IN_DNSWL_MED(-0.20)[103.2.142.68:from]; R_SPF_ALLOW(-0.20)[+ip4:103.2.140.0/22]; R_DKIM_ALLOW(-0.20)[fubar.geek.nz:s=s790814]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCPT_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_PERMFAIL(0.00)[smtpservice.net:s=mgy720.a1-4.dyn]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[dev-commits-src-all@FreeBSD.org]; ARC_NA(0.00)[]; ASN(0.00)[asn:23352, ipnet:103.2.140.0/22, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_MIXED(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_NEQ_ENVFROM(0.00)[andrew@fubar.geek.nz,bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz]; RCVD_COUNT_THREE(0.00)[4]; MIME_TRACE(0.00)[0:+,1:+,2:~]; DKIM_TRACE(0.00)[smtpservice.net:~,fubar.geek.nz:+]; RWL_MAILSPIKE_POSSIBLE(0.00)[103.2.142.68:from]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4Nc6Cd03XGz47GG X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 10 Jul 2022, at 20:39, Doug Moore wrote: >=20 > The branch main has been updated by dougm: >=20 > URL: = https://cgit.FreeBSD.org/src/commit/?id=3De0e8d0c8d69459c7128e6fd4fb537892= 445ce710 >=20 > commit e0e8d0c8d69459c7128e6fd4fb537892445ce710 > Author: Doug Moore > AuthorDate: 2022-07-10 19:24:23 +0000 > Commit: Doug Moore > CommitDate: 2022-07-10 19:24:23 +0000 >=20 > iommu_gas: consolidate find_space helpers >=20 > Merge lowermatch and uppermatch into find_space. Eliminate = uppermatch > recursion. Merge match_insert into match_one and eliminate some > redundant calculation. Move some initialization out of find_space = and > into map (and out from under a lock). >=20 This commit introduced an integer overflow that breaks the iommu on = arm64. In iommu_gas_find_space it adds "addr =3D a->common->lowaddr + 1;=E2=80=9D= , however when lowaddr is (bus_addr_t)-1 it will overflow making addr 0. = We then use this to set the bounds in iommu_gas_match_one, however this = will fail as the bounds are 0, 0. When this first loops fails it then searches for address space above = highaddr, however as this is above the maximum address this loop is = never run. As far as I can tell it works on amd64 because of another integer = overflow in the loop to find memory above highaddr where, due to it also = overflowing, it incorrectly uses 0 and domain->end as the bounds. It can = get into this case as curr->last =3D=3D (bus_addr_t)-1 so the RB_PARENT = loop will exit with a non-NULL curr pointer. D37756 works around this issue by making arm64 behave in the same way as = amd64, however I don=E2=80=99t think we should be entering the second = loop with a highaddr of (bus_addr_t)-1 as it may lead to an invalid = address being allocated, e.g. If the first loop failed because it is out = of usable address space. Andrew --Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On = 10 Jul 2022, at 20:39, Doug Moore <dougm@freebsd.org> wrote:

The = branch main has been updated by dougm:

URL: = https://cgit.FreeBSD.org/src/commit/?id=3De0e8d0c8d69459c7128e6= fd4fb537892445ce710

commit = e0e8d0c8d69459c7128e6fd4fb537892445ce710
Author: =     Doug Moore <dougm@FreeBSD.org>
AuthorDate: 2022-07-10 19:24:23 +0000
Commit: =     Doug Moore <dougm@FreeBSD.org>
CommitDate: 2022-07-10 19:24:23 +0000

   iommu_gas: consolidate find_space = helpers

   Merge lowermatch = and uppermatch into find_space.  Eliminate uppermatch
=    recursion.  Merge match_insert into match_one and = eliminate some
   redundant calculation. =  Move some initialization out of find_space and
=    into map (and out from under a lock).


This = commit introduced an integer overflow that breaks the iommu on = arm64.

In iommu_gas_find_space = it adds "addr =3D a->common->lowaddr + 1;=E2=80=9D, however when = lowaddr is (bus_addr_t)-1 it will overflow making addr 0. We then use = this to set the bounds in iommu_gas_match_one, however this will = fail as the bounds are 0, 0.

When = this first loops fails it then searches for address space = above highaddr, however as this is above the maximum address this = loop is never run.

As far as I can = tell it works on amd64 because of another integer overflow in the loop = to find memory above highaddr where, due to it also overflowing, it = incorrectly uses 0 and domain->end as the bounds. It can get into = this case as curr->last =3D=3D (bus_addr_t)-1 so = the RB_PARENT loop will exit with a non-NULL curr = pointer.

D37756 = works around this issue by making arm64 behave in the same way as amd64, however I don=E2=80=99t think we should be entering the second loop with a highaddr = of (bus_addr_t)-1 as it may lead to an invalid = address being allocated, e.g. If the first loop failed because it is out = of usable address space.

Andrew

= --Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83--