Xen project Mailing List

Re: [Xen-devel] [PATCH V3 1/1] amd/iommu: Fix infinite loop due to ivrs_bdf_entries larger than 16-bit value

From: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>

Date: Mon, 30 Dec 2013 08:04:17 -0500

Cc: andrew.cooper3@xxxxxxxxxx, JBeulich@xxxxxxxx, xen-devel@xxxxxxxxxxxxx

Delivery-date: Mon, 30 Dec 2013 13:04:06 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 12/29/2013 06:34 PM, suravee.suthikulpanit@xxxxxxx wrote:

From: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx>

Certain AMD systems could have upto 0x10000 ivrs_bdf_entries.
However, the loop variable (bdf) is declared as u16 which causes
inifinite loop when parsing IOMMU event log with IO_PAGE_FAULT event.
This patch changes the variable to u32 instead.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@xxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
V3:
        - More places found in iommu_acpi.c
        - Add signed off message.
V2:
        - Fix in more places as pointed out by Andrew
  xen/drivers/passthrough/amd/iommu_acpi.c |   17 +++++++++++------
  xen/drivers/passthrough/amd/iommu_init.c |   13 +++++++------
  2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/xen/drivers/passthrough/amd/iommu_acpi.c 
b/xen/drivers/passthrough/amd/iommu_acpi.c
index fca2037..b396e0e 100644
--- a/xen/drivers/passthrough/amd/iommu_acpi.c
+++ b/xen/drivers/passthrough/amd/iommu_acpi.c
@@ -159,7 +159,7 @@ static int __init register_exclusion_range_for_all_devices(
      int seg = 0; /* XXX */
      unsigned long range_top, iommu_top, length;
      struct amd_iommu *iommu;
-    u16 bdf;
+    u32 bdf;

/* is part of exclusion range inside of IOMMU virtual address space? */

      /* note: 'limit' parameter is assumed to be page-aligned */
@@ -237,7 +237,8 @@ static int __init 
register_exclusion_range_for_iommu_devices(
      unsigned long base, unsigned long limit, u8 iw, u8 ir)
  {
      unsigned long range_top, iommu_top, length;
-    u16 bdf, req;
+    u32 bdf;
+    u16 req;

/* is part of exclusion range inside of IOMMU virtual address space? */

      /* note: 'limit' parameter is assumed to be page-aligned */
@@ -292,7 +293,8 @@ static int __init parse_ivmd_device_range(
      const struct acpi_ivrs_memory *ivmd_block,
      unsigned long base, unsigned long limit, u8 iw, u8 ir)
  {
-    u16 first_bdf, last_bdf, bdf;
+    u16 first_bdf, last_bdf;
+    u32 bdf;
      int error;

Shouldn't first_bdf and last_bdf be u32 as well? There is, for example, a loop in this routine for ( bdf = first_bdf, error = 0; (bdf <= last_bdf) && !error; bdf++ ) And in routines below as well. -boris

first_bdf = ivmd_block->header.device_id;

@@ -430,7 +432,8 @@ static u16 __init parse_ivhd_device_range(
      const struct acpi_ivhd_device_range *range,
      u16 header_length, u16 block_length, struct amd_iommu *iommu)
  {
-    u16 dev_length, first_bdf, last_bdf, bdf;
+    u16 dev_length, first_bdf, last_bdf;
+    u32 bdf;

dev_length = sizeof(*range);

      if ( header_length < (block_length + dev_length) )
@@ -511,7 +514,8 @@ static u16 __init parse_ivhd_device_alias_range(
      u16 header_length, u16 block_length, struct amd_iommu *iommu)
  {

- u16 dev_length, first_bdf, last_bdf, alias_id, bdf;

+    u16 dev_length, first_bdf, last_bdf, alias_id;
+    u32 bdf;

dev_length = sizeof(*range);

      if ( header_length < (block_length + dev_length) )
@@ -590,7 +594,8 @@ static u16 __init parse_ivhd_device_extended_range(
      const struct acpi_ivhd_device_extended_range *range,
      u16 header_length, u16 block_length, struct amd_iommu *iommu)
  {
-    u16 dev_length, first_bdf, last_bdf, bdf;
+    u16 dev_length, first_bdf, last_bdf;
+    u32 bdf;

dev_length = sizeof(*range);

      if ( header_length < (block_length + dev_length) )
diff --git a/xen/drivers/passthrough/amd/iommu_init.c 
b/xen/drivers/passthrough/amd/iommu_init.c
index b431d16..c410465 100644
--- a/xen/drivers/passthrough/amd/iommu_init.c
+++ b/xen/drivers/passthrough/amd/iommu_init.c
@@ -524,8 +524,8 @@ static hw_irq_controller iommu_maskable_msi_type = {

static void parse_event_log_entry(struct amd_iommu *iommu, u32 entry[])

  {
-    u16 domain_id, device_id, bdf, flags;
-    u32 code;
+    u16 domain_id, device_id, flags;
+    u32 code, bdf;
      u64 *addr;
      int count = 0;
      static const char *const event_str[] = {
@@ -1103,7 +1103,7 @@ int iterate_ivrs_entries(int (*handler)(u16 seg, struct 
ivrs_mappings *))

do {

          struct ivrs_mappings *map;
-        int bdf;
+        u32 bdf;

if ( !radix_tree_gang_lookup(&ivrs_maps, (void **)&map, seg, 1) )

              break;
@@ -1118,7 +1118,7 @@ int iterate_ivrs_entries(int (*handler)(u16 seg, struct 
ivrs_mappings *))
  static int __init alloc_ivrs_mappings(u16 seg)
  {
      struct ivrs_mappings *ivrs_mappings;
-    int bdf;
+    u32 bdf;

BUG_ON( !ivrs_bdf_entries );@@ -1156,7 +1156,7 @@ static int __init alloc_ivrs_mappings(u16 seg)

  static int __init amd_iommu_setup_device_table(
      u16 seg, struct ivrs_mappings *ivrs_mappings)
  {
-    int bdf;
+    u32 bdf;
      void *intr_tb, *dte;

BUG_ON( (ivrs_bdf_entries == 0) );

@@ -1306,7 +1306,8 @@ static void invalidate_all_domain_pages(void)
  static int _invalidate_all_devices(
      u16 seg, struct ivrs_mappings *ivrs_mappings)
  {
-    int bdf, req_id;
+    u32 bdf;
+    u16 req_id;
      unsigned long flags;
      struct amd_iommu *iommu;

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.