From nobody Tue Dec 20 19:32:04 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nc6Cg18Lbz1Gm08
for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Tue, 20 Dec 2022 19:32:15 +0000 (UTC)
(envelope-from bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz)
Received: from e2i580.smtp2go.com (e2i580.smtp2go.com [103.2.142.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4Nc6Cd03XGz47GG
for <dev-commits-src-all@FreeBSD.org>; Tue, 20 Dec 2022 19:32:12 +0000 (UTC)
(envelope-from bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz)
Authentication-Results: mx1.freebsd.org;
dkim=none ("invalid DKIM record") header.d=smtpservice.net header.s=mgy720.a1-4.dyn header.b=Z+0PVLhw;
dkim=pass header.d=fubar.geek.nz header.s=s790814 header.b=ii0fT9pV;
spf=pass (mx1.freebsd.org: domain of "bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz" designates 103.2.142.68 as permitted sender) smtp.mailfrom="bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz";
dmarc=pass (policy=none) header.from=fubar.geek.nz
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=smtpservice.net; s=mgy720.a1-4.dyn; x=1671565632; h=Feedback-ID:
X-Smtpcorp-Track:To:Date:Subject:Message-Id:From:Reply-To:Sender:
List-Unsubscribe; bh=y8xdsaWob1tDI0wK7PH8jb8+oSGUpoavT06FuVBGjFY=; b=Z+0PVLhw
q8PWWzwULqDWZqse7SLdYyrQ2HbrvsFXNG2qqtTrlii4eCT44b2GRI1vGr13UFy5VCieC9+P63JlG
+rwX9wCo7r6BgPCa3RDqqOW5xXmdpQBIblnaYswMWuzQZ4A7wK4ER2+zUKynlXUBoEv6VK6Gm+H1I
r7EhY3EjZFSiQwMippJaeuSSZqEHBICXRBq0rfmuEyHHe5q4lA9V5t7++ccZT76RFTITa0b6IT7kv
lChtAq//pqje9jY7gdGHPm2GAZLrmmbuETGOV8PnpOMU/o++QU7JObXQgLW9nuYmWCUuVjjE0jB6w
VTB8jVLKkqK2ZIHd1jHqBXV8Vw==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fubar.geek.nz;
i=@fubar.geek.nz; q=dns/txt; s=s790814; t=1671564732; h=from : subject
: to : message-id : date;
bh=y8xdsaWob1tDI0wK7PH8jb8+oSGUpoavT06FuVBGjFY=;
b=ii0fT9pVyPT6HwvPeRDA1WzgN8fhU5ktH07OV1gH85Bg7XBSK3m2qDC07wSHr8fGXfgmK
H1kCaKA7MllDYUePBI9IQLgNiL0gaLuh4uebAZYt3SeRD8ITPPWIAR95KNqfpQytdTuTxoX
48sYCljzgnjL9aWIBwkHw0TTzusL6SroLRxqVDqpaitGJpxo9B3vYfHxvFLU6smF3E8iIV6
AajuxnHoJRnpw7exNkfNp7buI48f9UWliwuZO9mlvrqaszAlnZ8D0ooamXHgp5b+ogRPrhu
BOo3/Emjeax4g1WtkVFP77QsoK1hOr6fY7H3fxoppZVM5FS3IOwA50C1+CQg==
Received: from [10.176.58.103] (helo=SmtpCorp) by smtpcorp.com with esmtpsa
(TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
(Exim 4.94.2-S2G) (envelope-from <andrew@fubar.geek.nz>)
id 1p7iLR-qt4Dhi-Eu; Tue, 20 Dec 2022 19:32:09 +0000
Received: from [10.162.55.164] (helo=morbo.fubar.geek.nz)
by smtpcorp.com with esmtpsa
(TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
(Exim 4.96-S2G) (envelope-from <andrew@fubar.geek.nz>)
id 1p7iLR-9EWeYk-0l; Tue, 20 Dec 2022 19:32:09 +0000
Received: from smtpclient.apple
(cpc91214-cmbg18-2-0-cust234.5-4.cable.virginm.net [81.102.75.235])
by morbo.fubar.geek.nz (Postfix) with ESMTPSA id B84B322DE1;
Tue, 20 Dec 2022 19:32:05 +0000 (UTC)
From: Andrew Turner <andrew@fubar.geek.nz>
Message-Id: <5325DB40-8B13-4B12-8C0E-86352003132E@fubar.geek.nz>
Content-Type: multipart/alternative;
boundary="Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83"
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: git: e0e8d0c8d694 - main - iommu_gas: consolidate find_space
helpers
Date: Tue, 20 Dec 2022 19:32:04 +0000
In-Reply-To: <202207101939.26AJdeGp023355@gitrepo.freebsd.org>
Cc: "src-committers@freebsd.org" <src-committers@FreeBSD.org>,
"dev-commits-src-all@freebsd.org" <dev-commits-src-all@FreeBSD.org>,
"dev-commits-src-main@freebsd.org" <dev-commits-src-main@FreeBSD.org>
To: Doug Moore <dougm@freebsd.org>
References: <202207101939.26AJdeGp023355@gitrepo.freebsd.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Smtpcorp-Track: 1p7iLR9EW-Yk0_.ot24rhynx93DY
Feedback-ID: 790814m:790814amQcrys:790814sC4XnTZ_oM
X-Report-Abuse: Please forward a copy of this message, including all headers,
to <abuse-report@smtp2go.com>
X-Spamd-Result: default: False [-3.88 / 15.00];
NEURAL_HAM_LONG(-1.00)[-1.000];
NEURAL_HAM_MEDIUM(-1.00)[-1.000];
NEURAL_HAM_SHORT(-0.98)[-0.980];
MV_CASE(0.50)[];
DMARC_POLICY_ALLOW(-0.50)[fubar.geek.nz,none];
RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
FORGED_SENDER(0.30)[andrew@fubar.geek.nz,bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz];
RCVD_IN_DNSWL_MED(-0.20)[103.2.142.68:from];
R_SPF_ALLOW(-0.20)[+ip4:103.2.140.0/22];
R_DKIM_ALLOW(-0.20)[fubar.geek.nz:s=s790814];
MIME_GOOD(-0.10)[multipart/alternative,text/plain];
RCPT_COUNT_THREE(0.00)[4];
FROM_HAS_DN(0.00)[];
TO_DN_EQ_ADDR_SOME(0.00)[];
R_DKIM_PERMFAIL(0.00)[smtpservice.net:s=mgy720.a1-4.dyn];
TO_MATCH_ENVRCPT_SOME(0.00)[];
MLMMJ_DEST(0.00)[dev-commits-src-all@FreeBSD.org];
ARC_NA(0.00)[];
ASN(0.00)[asn:23352, ipnet:103.2.140.0/22, country:US];
MID_RHS_MATCH_FROM(0.00)[];
DKIM_MIXED(0.00)[];
TO_DN_SOME(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[];
FROM_NEQ_ENVFROM(0.00)[andrew@fubar.geek.nz,bT.u8qvkx0d30=1j1ze5lwncp7=yyik3vijac@em790814.fubar.geek.nz];
RCVD_COUNT_THREE(0.00)[4];
MIME_TRACE(0.00)[0:+,1:+,2:~];
DKIM_TRACE(0.00)[smtpservice.net:~,fubar.geek.nz:+];
RWL_MAILSPIKE_POSSIBLE(0.00)[103.2.142.68:from];
RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4Nc6Cd03XGz47GG
X-Spamd-Bar: ---
X-ThisMailContainsUnwantedMimeParts: N
--Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> On 10 Jul 2022, at 20:39, Doug Moore <dougm@freebsd.org> wrote:
>=20
> The branch main has been updated by dougm:
>=20
> URL: =
https://cgit.FreeBSD.org/src/commit/?id=3De0e8d0c8d69459c7128e6fd4fb537892=
445ce710
>=20
> commit e0e8d0c8d69459c7128e6fd4fb537892445ce710
> Author: Doug Moore <dougm@FreeBSD.org>
> AuthorDate: 2022-07-10 19:24:23 +0000
> Commit: Doug Moore <dougm@FreeBSD.org>
> CommitDate: 2022-07-10 19:24:23 +0000
>=20
> iommu_gas: consolidate find_space helpers
>=20
> Merge lowermatch and uppermatch into find_space. Eliminate =
uppermatch
> recursion. Merge match_insert into match_one and eliminate some
> redundant calculation. Move some initialization out of find_space =
and
> into map (and out from under a lock).
>=20
This commit introduced an integer overflow that breaks the iommu on =
arm64.
In iommu_gas_find_space it adds "addr =3D a->common->lowaddr + 1;=E2=80=9D=
, however when lowaddr is (bus_addr_t)-1 it will overflow making addr 0. =
We then use this to set the bounds in iommu_gas_match_one, however this =
will fail as the bounds are 0, 0.
When this first loops fails it then searches for address space above =
highaddr, however as this is above the maximum address this loop is =
never run.
As far as I can tell it works on amd64 because of another integer =
overflow in the loop to find memory above highaddr where, due to it also =
overflowing, it incorrectly uses 0 and domain->end as the bounds. It can =
get into this case as curr->last =3D=3D (bus_addr_t)-1 so the RB_PARENT =
loop will exit with a non-NULL curr pointer.
D37756 works around this issue by making arm64 behave in the same way as =
amd64, however I don=E2=80=99t think we should be entering the second =
loop with a highaddr of (bus_addr_t)-1 as it may lead to an invalid =
address being allocated, e.g. If the first loop failed because it is out =
of usable address space.
Andrew
--Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br =
class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On =
10 Jul 2022, at 20:39, Doug Moore <<a href=3D"mailto:dougm@freebsd.org"=
class=3D"">dougm@freebsd.org</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">The =
branch main has been updated by dougm:<br class=3D""><br class=3D"">URL: =
<a =
href=3D"https://cgit.FreeBSD.org/src/commit/?id=3De0e8d0c8d69459c7128e6fd4=
fb537892445ce710" =
class=3D"">https://cgit.FreeBSD.org/src/commit/?id=3De0e8d0c8d69459c7128e6=
fd4fb537892445ce710</a><br class=3D""><br class=3D"">commit =
e0e8d0c8d69459c7128e6fd4fb537892445ce710<br class=3D"">Author: =
Doug Moore <<a =
href=3D"mailto:dougm@FreeBSD.org" class=3D"">dougm@FreeBSD.org</a>><br =
class=3D"">AuthorDate: 2022-07-10 19:24:23 +0000<br class=3D"">Commit: =
Doug Moore <<a =
href=3D"mailto:dougm@FreeBSD.org" class=3D"">dougm@FreeBSD.org</a>><br =
class=3D"">CommitDate: 2022-07-10 19:24:23 +0000<br class=3D""><br =
class=3D""> iommu_gas: consolidate find_space =
helpers<br class=3D""><br class=3D""> Merge lowermatch =
and uppermatch into find_space. Eliminate uppermatch<br class=3D""> =
recursion. Merge match_insert into match_one and =
eliminate some<br class=3D""> redundant calculation. =
Move some initialization out of find_space and<br class=3D""> =
into map (and out from under a lock).<br class=3D""><br =
class=3D""></div></div></blockquote><div><br class=3D""></div><div>This =
commit introduced an integer overflow that breaks the iommu on =
arm64.</div><div><br class=3D""></div><div>In iommu_gas_find_space =
it adds "addr =3D a->common->lowaddr + 1;=E2=80=9D, however when =
lowaddr is (bus_addr_t)-1 it will overflow making addr 0. We then use =
this to set the bounds in iommu_gas_match_one, however this will =
fail as the bounds are 0, 0.</div><div><br class=3D""></div><div>When =
this first loops fails it then searches for address space =
above highaddr, however as this is above the maximum address this =
loop is never run.</div><div><br class=3D""></div><div>As far as I can =
tell it works on amd64 because of another integer overflow in the loop =
to find memory above highaddr where, due to it also overflowing, it =
incorrectly uses 0 and domain->end as the bounds. It can get into =
this case as curr->last =3D=3D (bus_addr_t)-1 so =
the RB_PARENT loop will exit with a non-NULL curr =
pointer.</div><div><span style=3D"color: rgba(0, 0, 0, 0.85); =
font-family: "Helvetica Neue";" class=3D""><br =
class=3D""></span></div><div><font face=3D"Helvetica Neue" =
class=3D""><span style=3D"color: rgba(0, 0, 0, 0.85);" class=3D"">D37756 =
works around this issue by </span><span style=3D"caret-color: =
rgba(0, 0, 0, 0.85); color: rgba(0, 0, 0, 0.85);" =
class=3D"">making</span><span style=3D"color: rgba(0, 0, 0, 0.85);" =
class=3D""> arm64 behave in the same </span><span =
style=3D"caret-color: rgba(0, 0, 0, 0.85); color: rgba(0, 0, 0, 0.85);" =
class=3D"">way as amd64</span><span style=3D"color: rgba(0, 0, 0, =
0.85);" class=3D"">, however I don</span><span style=3D"caret-color: =
rgba(0, 0, 0, 0.85); color: rgba(0, 0, 0, 0.85);" =
class=3D"">=E2=80=99</span><span style=3D"color: rgba(0, 0, 0, 0.85);" =
class=3D"">t think we should be entering the second loop with a highaddr =
of </span></font>(bus_addr_t)-1 as it may lead to an invalid =
address being allocated, e.g. If the first loop failed because it is out =
of usable address space.</div><div><br =
class=3D""></div><div>Andrew</div><div><br =
class=3D""></div></div></body></html>=
--Apple-Mail=_0E18B7F2-35E6-4162-B2D7-A559C3087A83--