[PATCH OLK-6.6 0/3] iommu/arm-smmu-v3: Fix global-out-of-bounds access in arm_smmu_group_get_mpam()

Zeng Heng

7 Jun 2025 7 Jun '25

6:30 p.m.

Zeng Heng (3): arm64/mpam: Update the chip condition judgment in resctrl_arch_would_mbm_overflow() fs/resctrl: Prevent idle RMIDs from not being released in time from limbo iommu/arm-smmu-v3: Fix global-out-of-bounds access in arm_smmu_group_get_mpam() drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 14 ++++++++++++++ drivers/platform/mpam/mpam_devices.c | 12 +----------- fs/resctrl/monitor.c | 2 +- 3 files changed, 16 insertions(+), 12 deletions(-) -- 2.25.1

Show replies by date

Zeng Heng

7 Jun 7 Jun

6:30 p.m.

New subject: [PATCH OLK-6.6 1/3] arm64/mpam: Update the chip condition judgment in resctrl_arch_would_mbm_overflow()

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8T2RT -------------------------------- So far, all HISI chipsets follow the definition of the DDI0598 version, the value field of MPAM Memory Bandwidth Usage Monitor Register indicates the memory bandwidth usage in bytes per second. Therefore, as an instantaneous value for memory bandwidth statistics, there is no possibility of causing the register to overflow. Fixes: 74c0a1abcc21 ("arm64/mpam: Add judgment to distinguish MSMON_MBWU_CAPTURE definition") Signed-off-by: Zeng Heng <zengheng4@huawei.com> --- drivers/platform/mpam/mpam_devices.c | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/drivers/platform/mpam/mpam_devices.c b/drivers/platform/mpam/mpam_devices.c index 566bd92dc010..4da9be7581ea 100644 --- a/drivers/platform/mpam/mpam_devices.c +++ b/drivers/platform/mpam/mpam_devices.c @@ -923,19 +923,9 @@ static u64 mpam_msmon_overflow_val(struct mpam_msc_ris *ris) return GENMASK_ULL(30, 0); } -static const struct midr_range mbwu_flowrate_list[] = { - MIDR_ALL_VERSIONS(MIDR_HISI_TSV110), - MIDR_ALL_VERSIONS(MIDR_HISI_LINXICORE9100), - MIDR_ALL_VERSIONS(MIDR_HISI_HIP12), - { /* sentinel */ } -}; - bool resctrl_arch_would_mbm_overflow(void) { - if (is_midr_in_range_list(read_cpuid_id(), mbwu_flowrate_list)) - return false; - - return true; + return read_cpuid_implementor() == ARM_CPU_IMP_HISI ? false : true; } static void __ris_msmon_read(void *arg) -- 2.25.1

Zeng Heng

6:30 p.m.

New subject: [PATCH OLK-6.6 2/3] fs/resctrl: Prevent idle RMIDs from not being released in time from limbo

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAG93D -------------------------------- The L3 cache occupancy limbo handler monitors idle RMIDs. If it detects that the cache occupancy of the monitored RMID is below the max_threshold_occupancy setting value, it will release the RMID from the limbo back to the rmid_free list. However, in scenarios where the user sets a high max_threshold_occupancy value and frequently creates or deletes monitoring groups, or simply frequently mounts and unmounts the resctrl filesystem, because of the limbo handler delayed scheduling, it can cause idle RMIDs to not be released back to the rmid_free list in time, which leads to the creating monitor group operations failing with ENOSPC. Fixes: 13e249bf4944 ("x86/resctrl: Move the filesystem portions of resctrl to live in '/fs/'") Signed-off-by: Zeng Heng <zengheng4@huawei.com> --- fs/resctrl/monitor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/resctrl/monitor.c b/fs/resctrl/monitor.c index fb60316199c4..66ebfaa26e28 100644 --- a/fs/resctrl/monitor.c +++ b/fs/resctrl/monitor.c @@ -289,7 +289,7 @@ static void add_rmid_to_limbo(struct rmid_entry *entry) * setup up the limbo worker. */ if (!has_busy_rmid(d)) - cqm_setup_limbo_handler(d, CQM_LIMBOCHECK_INTERVAL, + cqm_setup_limbo_handler(d, 0, RESCTRL_PICK_ANY_CPU); set_bit(idx, d->rmid_busy_llc); entry->busy++; -- 2.25.1

Zeng Heng

6:30 p.m.

New subject: [PATCH OLK-6.6 3/3] iommu/arm-smmu-v3: Fix global-out-of-bounds access in arm_smmu_group_get_mpam()

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC03L1 -------------------------------- During the testing of the SMMU functions related to MPAM, KASAN reports an access fault: BUG: KASAN: global-out-of-bounds in arm_smmu_group_get_mpam Read of size 4 at addr ffffd8dbdf3bf0d8 by task rmdir/9954 Call trace: arm_smmu_group_get_mpam+0x4c/0x150 iommu_group_get_qos_params+0xa8/0xe8 resctrl_arch_match_iommu_closid+0x80/0x118 rdt_move_group_iommus.isra.0+0x198/0x1c0 rdtgroup_rmdir_ctrl+0x58/0x1e8 rdtgroup_rmdir+0x198/0x290 kernfs_iop_rmdir+0xa0/0xe8 vfs_rmdir.part.0+0xd8/0x290 do_rmdir+0x288/0x2e0 The DMA of some devices like the HISI PTT trace can only work under Some devices' DMA (such as Hisi PTT trace) can only work in pass-through mode. Therefore, in the __iommu_domain_alloc(), the SMMU does not allocate a smmu_domain struct for them. Naturally, these types of devices do not support the MPAM feature. Consequently, for devices of type IOMMU_DOMAIN_IDENTITY and IOMMU_DOMAIN_BLOCKED, they are skipped in arm_smmu_group_get_mpam() or returned fail in arm_smmu_group_set_mpam(). Fixes: 587296e12d7d ("iommu/arm-smmu-v3: Add mpam helpers to query and set state") Signed-off-by: Zeng Heng <zengheng4@huawei.com> --- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c index f778936d7579..dee6ca2fbdb1 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c @@ -4004,6 +4004,7 @@ static int arm_smmu_group_set_mpam(struct iommu_group *group, u16 partid, int i; u32 sid; unsigned long flags; + unsigned int alloc_type; struct arm_smmu_ste *step; struct iommu_domain *domain; struct arm_smmu_device *smmu; @@ -4019,6 +4020,12 @@ static int arm_smmu_group_set_mpam(struct iommu_group *group, u16 partid, struct arm_smmu_master_domain *master_domain; domain = iommu_get_domain_for_group(group); + + alloc_type = domain->type & IOMMU_DOMAIN_ALLOC_FLAGS; + if (alloc_type == IOMMU_DOMAIN_IDENTITY || + alloc_type == IOMMU_DOMAIN_BLOCKED) + return -EINVAL; + smmu_domain = to_smmu_domain(domain); if (!smmu_domain->smmu) @@ -4062,12 +4069,19 @@ static int arm_smmu_group_get_mpam(struct iommu_group *group, u16 *partid, { int err = -EINVAL; unsigned long flags; + unsigned int alloc_type; struct iommu_domain *domain; struct arm_smmu_master *master; struct arm_smmu_domain *smmu_domain; struct arm_smmu_master_domain *master_domain; domain = iommu_get_domain_for_group(group); + + alloc_type = domain->type & IOMMU_DOMAIN_ALLOC_FLAGS; + if (alloc_type == IOMMU_DOMAIN_IDENTITY || + alloc_type == IOMMU_DOMAIN_BLOCKED) + return 0; + smmu_domain = to_smmu_domain(domain); if (!smmu_domain->smmu) -- 2.25.1

patchwork bot

6:35 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/16631 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/IKB... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/16631 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/IKB...

Age (days ago)

Last active (days ago)

List overview

4 comments

2 participants

participants (2)

patchwork bot
Zeng Heng