Re: [kbuild] [linux-next:master 6931/12022] drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 22 Feb 2021 17:10:43 +0300
Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:

> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git  master
> head:   37dfbfbdca66834bc0f64ec9b35e09ac6c8898da
> commit: 0f53afa12baec8c00f5d1d6afb49325ada105253 [6931/12022] vfio/type1: unmap cleanup

It's always the patches that claim no functional change... ;)

> config: i386-randconfig-m021-20210222 (attached as .config)
> compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
> 
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> 
> New smatch warnings:
> drivers/vfio/vfio_iommu_type1.c:1093 vfio_dma_do_unmap() warn: impossible condition '(size > (~0)) => (0-u32max > u32max)'
> 
> vim +1093 drivers/vfio/vfio_iommu_type1.c
> 
> 73fa0d10d077d9 Alex Williamson 2012-07-31  1071  static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1072  			     struct vfio_iommu_type1_dma_unmap *unmap,
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1073  			     struct vfio_bitmap *bitmap)
> 73fa0d10d077d9 Alex Williamson 2012-07-31  1074  {
> c086de818dd81c Kirti Wankhede  2016-11-17  1075  	struct vfio_dma *dma, *dma_last = NULL;
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1076  	size_t unmapped = 0, pgsize;
> 0f53afa12baec8 Steve Sistare   2021-01-29  1077  	int ret = -EINVAL, retries = 0;
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1078  	unsigned long pgshift;
> 0f53afa12baec8 Steve Sistare   2021-01-29  1079  	dma_addr_t iova = unmap->iova;
> 0f53afa12baec8 Steve Sistare   2021-01-29  1080  	unsigned long size = unmap->size;
>                                                         ^^^^^^^^^^^^^^^^^^
> 
> 73fa0d10d077d9 Alex Williamson 2012-07-31  1081  
> cade075f265b25 Kirti Wankhede  2020-05-29  1082  	mutex_lock(&iommu->lock);
> cade075f265b25 Kirti Wankhede  2020-05-29  1083  
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1084  	pgshift = __ffs(iommu->pgsize_bitmap);
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1085  	pgsize = (size_t)1 << pgshift;
> cade075f265b25 Kirti Wankhede  2020-05-29  1086  
> 0f53afa12baec8 Steve Sistare   2021-01-29  1087  	if (iova & (pgsize - 1))
> cade075f265b25 Kirti Wankhede  2020-05-29  1088  		goto unlock;
> cade075f265b25 Kirti Wankhede  2020-05-29  1089  
> 0f53afa12baec8 Steve Sistare   2021-01-29  1090  	if (!size || size & (pgsize - 1))
> cade075f265b25 Kirti Wankhede  2020-05-29  1091  		goto unlock;
> 73fa0d10d077d9 Alex Williamson 2012-07-31  1092  
> 0f53afa12baec8 Steve Sistare   2021-01-29 @1093  	if (iova + size - 1 < iova || size > SIZE_MAX)
> 
> size is unsigned long and SIZE_MAX is ULONG_MAX so "size > SIZE_MAX"
> does not make sense.

I think it made sense before the above commit, where unmap->size is a
__u64 and a user could provide a value that exceeds SIZE_MAX on ILP32.
Seems like the fix is probably to use a size_t for the local variable
and restore this test to compare (unmap->size > SIZE_MAX).  Steve?

> Is the " - 1" intentional on the other overflow check?  As in it's okay
> to wrap around to zero but not further than that?  Sometimes this is
> intentional but it requires more subsystem expertise than I possess.

Yes, since we're dealing with a start + length we need to account for
the -1 in the end value, otherwise the user could never unmap the last
page of the address space.  Thanks for the report!

Alex

> cade075f265b25 Kirti Wankhede  2020-05-29  1094  		goto unlock;
> 73fa0d10d077d9 Alex Williamson 2012-07-31  1095  
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1096  	/* When dirty tracking is enabled, allow only min supported pgsize */
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1097  	if ((unmap->flags & VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP) &&
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1098  	    (!iommu->dirty_page_tracking || (bitmap->pgsize != pgsize))) {
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1099  		goto unlock;
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1100  	}
> 73fa0d10d077d9 Alex Williamson 2012-07-31  1101  
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1102  	WARN_ON((pgsize - 1) & PAGE_MASK);
> 331e33d2960c82 Kirti Wankhede  2020-05-29  1103  again:
> 1ef3e2bc04223f Alex Williamson 2014-02-26  1104  	/*
> 
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux