mirror of
https://gitee.com/bianbu-linux/linux-6.6
synced 2025-04-24 14:07:52 -04:00
463e862ac6
Since commit69031f5008("swiotlb: Set dev->dma_io_tlb_mem to the swiotlb pool used"), 'struct device' may hold a copy of the global 'io_default_tlb_mem' pointer if the device is using swiotlb for DMA. A subsequent call to swiotlb_exit() will therefore leave dangling pointers behind in these device structures, resulting in KASAN splats such as: | BUG: KASAN: use-after-free in __iommu_dma_unmap_swiotlb+0x64/0xb0 | Read of size 8 at addr ffff8881d7830000 by task swapper/0/0 | | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc3-debug #1 | Hardware name: HP HP Desktop M01-F1xxx/87D6, BIOS F.12 12/17/2020 | Call Trace: | <IRQ> | dump_stack+0x9c/0xcf | print_address_description.constprop.0+0x18/0x130 | kasan_report.cold+0x7f/0x111 | __iommu_dma_unmap_swiotlb+0x64/0xb0 | nvme_pci_complete_rq+0x73/0x130 | blk_complete_reqs+0x6f/0x80 | __do_softirq+0xfc/0x3be Convert 'io_default_tlb_mem' to a static structure, so that the per-device pointers remain valid after swiotlb_exit() has been invoked. All users are updated to reference the static structure directly, using the 'nslabs' field to determine whether swiotlb has been initialised. The 'slots' array is still allocated dynamically and referenced via a pointer rather than a flexible array member. Cc: Claire Chang <tientzu@chromium.org> Cc: Christoph Hellwig <hch@lst.de> Cc: Robin Murphy <robin.murphy@arm.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Fixes:69031f5008("swiotlb: Set dev->dma_io_tlb_mem to the swiotlb pool used") Reported-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Claire Chang <tientzu@chromium.org> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Will Deacon <will@kernel.org> Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
188 lines
5.3 KiB
C
188 lines
5.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __LINUX_SWIOTLB_H
|
|
#define __LINUX_SWIOTLB_H
|
|
|
|
#include <linux/device.h>
|
|
#include <linux/dma-direction.h>
|
|
#include <linux/init.h>
|
|
#include <linux/types.h>
|
|
#include <linux/limits.h>
|
|
#include <linux/spinlock.h>
|
|
|
|
struct device;
|
|
struct page;
|
|
struct scatterlist;
|
|
|
|
enum swiotlb_force {
|
|
SWIOTLB_NORMAL, /* Default - depending on HW DMA mask etc. */
|
|
SWIOTLB_FORCE, /* swiotlb=force */
|
|
SWIOTLB_NO_FORCE, /* swiotlb=noforce */
|
|
};
|
|
|
|
/*
|
|
* Maximum allowable number of contiguous slabs to map,
|
|
* must be a power of 2. What is the appropriate value ?
|
|
* The complexity of {map,unmap}_single is linearly dependent on this value.
|
|
*/
|
|
#define IO_TLB_SEGSIZE 128
|
|
|
|
/*
|
|
* log of the size of each IO TLB slab. The number of slabs is command line
|
|
* controllable.
|
|
*/
|
|
#define IO_TLB_SHIFT 11
|
|
#define IO_TLB_SIZE (1 << IO_TLB_SHIFT)
|
|
|
|
/* default to 64MB */
|
|
#define IO_TLB_DEFAULT_SIZE (64UL<<20)
|
|
|
|
extern void swiotlb_init(int verbose);
|
|
int swiotlb_init_with_tbl(char *tlb, unsigned long nslabs, int verbose);
|
|
unsigned long swiotlb_size_or_default(void);
|
|
extern int swiotlb_late_init_with_tbl(char *tlb, unsigned long nslabs);
|
|
extern int swiotlb_late_init_with_default_size(size_t default_size);
|
|
extern void __init swiotlb_update_mem_attributes(void);
|
|
|
|
phys_addr_t swiotlb_tbl_map_single(struct device *hwdev, phys_addr_t phys,
|
|
size_t mapping_size, size_t alloc_size,
|
|
enum dma_data_direction dir, unsigned long attrs);
|
|
|
|
extern void swiotlb_tbl_unmap_single(struct device *hwdev,
|
|
phys_addr_t tlb_addr,
|
|
size_t mapping_size,
|
|
enum dma_data_direction dir,
|
|
unsigned long attrs);
|
|
|
|
void swiotlb_sync_single_for_device(struct device *dev, phys_addr_t tlb_addr,
|
|
size_t size, enum dma_data_direction dir);
|
|
void swiotlb_sync_single_for_cpu(struct device *dev, phys_addr_t tlb_addr,
|
|
size_t size, enum dma_data_direction dir);
|
|
dma_addr_t swiotlb_map(struct device *dev, phys_addr_t phys,
|
|
size_t size, enum dma_data_direction dir, unsigned long attrs);
|
|
|
|
#ifdef CONFIG_SWIOTLB
|
|
extern enum swiotlb_force swiotlb_force;
|
|
|
|
/**
|
|
* struct io_tlb_mem - IO TLB Memory Pool Descriptor
|
|
*
|
|
* @start: The start address of the swiotlb memory pool. Used to do a quick
|
|
* range check to see if the memory was in fact allocated by this
|
|
* API.
|
|
* @end: The end address of the swiotlb memory pool. Used to do a quick
|
|
* range check to see if the memory was in fact allocated by this
|
|
* API.
|
|
* @nslabs: The number of IO TLB blocks (in groups of 64) between @start and
|
|
* @end. For default swiotlb, this is command line adjustable via
|
|
* setup_io_tlb_npages.
|
|
* @used: The number of used IO TLB block.
|
|
* @list: The free list describing the number of free entries available
|
|
* from each index.
|
|
* @index: The index to start searching in the next round.
|
|
* @orig_addr: The original address corresponding to a mapped entry.
|
|
* @alloc_size: Size of the allocated buffer.
|
|
* @lock: The lock to protect the above data structures in the map and
|
|
* unmap calls.
|
|
* @debugfs: The dentry to debugfs.
|
|
* @late_alloc: %true if allocated using the page allocator
|
|
* @force_bounce: %true if swiotlb bouncing is forced
|
|
* @for_alloc: %true if the pool is used for memory allocation
|
|
*/
|
|
struct io_tlb_mem {
|
|
phys_addr_t start;
|
|
phys_addr_t end;
|
|
unsigned long nslabs;
|
|
unsigned long used;
|
|
unsigned int index;
|
|
spinlock_t lock;
|
|
struct dentry *debugfs;
|
|
bool late_alloc;
|
|
bool force_bounce;
|
|
bool for_alloc;
|
|
struct io_tlb_slot {
|
|
phys_addr_t orig_addr;
|
|
size_t alloc_size;
|
|
unsigned int list;
|
|
} *slots;
|
|
};
|
|
extern struct io_tlb_mem io_tlb_default_mem;
|
|
|
|
static inline bool is_swiotlb_buffer(struct device *dev, phys_addr_t paddr)
|
|
{
|
|
struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
|
|
|
|
return mem && paddr >= mem->start && paddr < mem->end;
|
|
}
|
|
|
|
static inline bool is_swiotlb_force_bounce(struct device *dev)
|
|
{
|
|
struct io_tlb_mem *mem = dev->dma_io_tlb_mem;
|
|
|
|
return mem && mem->force_bounce;
|
|
}
|
|
|
|
void __init swiotlb_exit(void);
|
|
unsigned int swiotlb_max_segment(void);
|
|
size_t swiotlb_max_mapping_size(struct device *dev);
|
|
bool is_swiotlb_active(struct device *dev);
|
|
void __init swiotlb_adjust_size(unsigned long size);
|
|
#else
|
|
#define swiotlb_force SWIOTLB_NO_FORCE
|
|
static inline bool is_swiotlb_buffer(struct device *dev, phys_addr_t paddr)
|
|
{
|
|
return false;
|
|
}
|
|
static inline bool is_swiotlb_force_bounce(struct device *dev)
|
|
{
|
|
return false;
|
|
}
|
|
static inline void swiotlb_exit(void)
|
|
{
|
|
}
|
|
static inline unsigned int swiotlb_max_segment(void)
|
|
{
|
|
return 0;
|
|
}
|
|
static inline size_t swiotlb_max_mapping_size(struct device *dev)
|
|
{
|
|
return SIZE_MAX;
|
|
}
|
|
|
|
static inline bool is_swiotlb_active(struct device *dev)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
static inline void swiotlb_adjust_size(unsigned long size)
|
|
{
|
|
}
|
|
#endif /* CONFIG_SWIOTLB */
|
|
|
|
extern void swiotlb_print_info(void);
|
|
extern void swiotlb_set_max_segment(unsigned int);
|
|
|
|
#ifdef CONFIG_DMA_RESTRICTED_POOL
|
|
struct page *swiotlb_alloc(struct device *dev, size_t size);
|
|
bool swiotlb_free(struct device *dev, struct page *page, size_t size);
|
|
|
|
static inline bool is_swiotlb_for_alloc(struct device *dev)
|
|
{
|
|
return dev->dma_io_tlb_mem->for_alloc;
|
|
}
|
|
#else
|
|
static inline struct page *swiotlb_alloc(struct device *dev, size_t size)
|
|
{
|
|
return NULL;
|
|
}
|
|
static inline bool swiotlb_free(struct device *dev, struct page *page,
|
|
size_t size)
|
|
{
|
|
return false;
|
|
}
|
|
static inline bool is_swiotlb_for_alloc(struct device *dev)
|
|
{
|
|
return false;
|
|
}
|
|
#endif /* CONFIG_DMA_RESTRICTED_POOL */
|
|
|
|
#endif /* __LINUX_SWIOTLB_H */
|