From e229897d373a87ee09ec5cc4ecd4bb2f895fc16b Mon Sep 17 00:00:00 2001 From: Jinjie Ruan Date: Thu, 31 Aug 2023 20:39:27 +0800 Subject: [PATCH 1/8] ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() The debugfs_create_dir() function returns error pointers. It never returns NULL. So use IS_ERR() to check it. Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") Signed-off-by: Jinjie Ruan Reviewed-by: Dave Jiang Signed-off-by: Jon Mason --- drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c index 9ab836d0d4f1..079b8cd79785 100644 --- a/drivers/ntb/hw/intel/ntb_hw_gen1.c +++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c @@ -778,7 +778,7 @@ static void ndev_init_debugfs(struct intel_ntb_dev *ndev) ndev->debugfs_dir = debugfs_create_dir(pci_name(ndev->ntb.pdev), debugfs_dir); - if (!ndev->debugfs_dir) + if (IS_ERR(ndev->debugfs_dir)) ndev->debugfs_info = NULL; else ndev->debugfs_info = From 1501ae7479c8d0f66efdbfdc9ae8d6136cefbd37 Mon Sep 17 00:00:00 2001 From: Max Hawking Date: Sun, 8 Oct 2023 20:45:16 -0700 Subject: [PATCH 2/8] ntb_perf: Fix printk format The correct printk format is %pa or %pap, but not %pa[p]. Fixes: 99a06056124d ("NTB: ntb_perf: Fix address err in perf_copy_chunk") Signed-off-by: Max Hawking Signed-off-by: Jon Mason --- drivers/ntb/test/ntb_perf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/test/ntb_perf.c b/drivers/ntb/test/ntb_perf.c index 553f1f46bc66..72bc1d017a46 100644 --- a/drivers/ntb/test/ntb_perf.c +++ b/drivers/ntb/test/ntb_perf.c @@ -1227,7 +1227,7 @@ static ssize_t perf_dbgfs_read_info(struct file *filep, char __user *ubuf, "\tOut buffer addr 0x%pK\n", peer->outbuf); pos += scnprintf(buf + pos, buf_size - pos, - "\tOut buff phys addr %pa[p]\n", &peer->out_phys_addr); + "\tOut buff phys addr %pap\n", &peer->out_phys_addr); pos += scnprintf(buf + pos, buf_size - pos, "\tOut buffer size %pa\n", &peer->outbuf_size); From 35c87cb80d65859342611cbb7bd501d490452120 Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sat, 20 Jul 2024 12:59:36 +0200 Subject: [PATCH 3/8] ntb: Constify struct bus_type 'struct bus_type' is not modified in this driver. Constifying this structure moves some data to a read-only section, so increase overall security, especially when the structure holds some function pointers. On a x86_64, with allmodconfig: Before: ====== text data bss dec hex filename 69682 4593 152 74427 122bb drivers/ntb/ntb_transport.o 5847 448 32 6327 18b7 drivers/ntb/core.o After: ===== text data bss dec hex filename 69858 4433 152 74443 122cb drivers/ntb/ntb_transport.o 6007 288 32 6327 18b7 drivers/ntb/core.o Signed-off-by: Christophe JAILLET Reviewed-by: Dave Jiang Signed-off-by: Jon Mason --- drivers/ntb/core.c | 4 ++-- drivers/ntb/ntb_transport.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/ntb/core.c b/drivers/ntb/core.c index d702bee78082..ed6f4adc6130 100644 --- a/drivers/ntb/core.c +++ b/drivers/ntb/core.c @@ -72,7 +72,7 @@ MODULE_VERSION(DRIVER_VERSION); MODULE_AUTHOR(DRIVER_AUTHOR); MODULE_DESCRIPTION(DRIVER_DESCRIPTION); -static struct bus_type ntb_bus; +static const struct bus_type ntb_bus; static void ntb_dev_release(struct device *dev); int __ntb_register_client(struct ntb_client *client, struct module *mod, @@ -298,7 +298,7 @@ static void ntb_dev_release(struct device *dev) complete(&ntb->released); } -static struct bus_type ntb_bus = { +static const struct bus_type ntb_bus = { .name = "ntb", .probe = ntb_probe, .remove = ntb_remove, diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c index 77e55debeed6..a79f68e18d3f 100644 --- a/drivers/ntb/ntb_transport.c +++ b/drivers/ntb/ntb_transport.c @@ -314,7 +314,7 @@ static void ntb_transport_bus_remove(struct device *dev) put_device(dev); } -static struct bus_type ntb_transport_bus = { +static const struct bus_type ntb_transport_bus = { .name = "ntb_transport", .match = ntb_transport_bus_match, .probe = ntb_transport_bus_probe, From f407048235a3ac626078139b0c5cf313b946eba2 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Thu, 18 Jan 2024 19:28:45 -0800 Subject: [PATCH 4/8] NTB: ntb_transport: fix all kernel-doc warnings Fix all kernel-doc warnings in ntb_transport.c. The function parameters for ntb_transport_create_queue() changed, so update them in the kernel-doc comments. Add a Returns: comment for ntb_transport_register_client_dev(). ntb_transport.c:382: warning: No description found for return value of 'ntb_transport_register_client_dev' ntb_transport.c:1984: warning: Excess function parameter 'rx_handler' description in 'ntb_transport_create_queue' ntb_transport.c:1984: warning: Excess function parameter 'tx_handler' description in 'ntb_transport_create_queue' ntb_transport.c:1984: warning: Excess function parameter 'event_handler' description in 'ntb_transport_create_queue' Signed-off-by: Randy Dunlap Cc: Jon Mason Cc: Dave Jiang Cc: Allen Hubbe Cc: ntb@lists.linux.dev Reviewed-by: Dave Jiang Signed-off-by: Jon Mason --- drivers/ntb/ntb_transport.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c index a79f68e18d3f..392a5952afd5 100644 --- a/drivers/ntb/ntb_transport.c +++ b/drivers/ntb/ntb_transport.c @@ -377,6 +377,8 @@ EXPORT_SYMBOL_GPL(ntb_transport_unregister_client_dev); * @device_name: Name of NTB client device * * Register an NTB client device with the NTB transport layer + * + * Returns: %0 on success or -errno code on error */ int ntb_transport_register_client_dev(char *device_name) { @@ -1966,9 +1968,9 @@ static bool ntb_dma_filter_fn(struct dma_chan *chan, void *node) /** * ntb_transport_create_queue - Create a new NTB transport layer queue - * @rx_handler: receive callback function - * @tx_handler: transmit callback function - * @event_handler: event callback function + * @data: pointer for callback data + * @client_dev: &struct device pointer + * @handlers: pointer to various ntb queue (callback) handlers * * Create a new NTB transport layer queue and provide the queue with a callback * routine for both transmit and receive. The receive callback routine will be From b669fafd51b454f45fde5b0c6ba228ffa19e859d Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Tue, 5 Dec 2023 21:59:34 -0800 Subject: [PATCH 5/8] NTB: epf: don't misuse kernel-doc marker Use "/*" instead of "/**" for common C comments to prevent warnings from scripts/kernel-doc. ntb_hw_epf.c:15: warning: expecting prototype for Host side endpoint driver to implement Non(). Prototype was for NTB_EPF_COMMAND() instead Signed-off-by: Randy Dunlap Cc: Jon Mason Cc: Dave Jiang Cc: Allen Hubbe Cc: ntb@lists.linux.dev Signed-off-by: Jon Mason --- drivers/ntb/hw/epf/ntb_hw_epf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/hw/epf/ntb_hw_epf.c b/drivers/ntb/hw/epf/ntb_hw_epf.c index b640aa0bf45e..00f0e78f685b 100644 --- a/drivers/ntb/hw/epf/ntb_hw_epf.c +++ b/drivers/ntb/hw/epf/ntb_hw_epf.c @@ -1,5 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 -/** +/* * Host side endpoint driver to implement Non-Transparent Bridge functionality * * Copyright (C) 2020 Texas Instruments From 87a7d7150589f68cd7938b208310c93d1e4c3773 Mon Sep 17 00:00:00 2001 From: zhang jiao Date: Wed, 4 Sep 2024 14:54:42 +0800 Subject: [PATCH 6/8] ntb: idt: Fix the cacography in ntb_hw_idt.c The word 'swtich' is wrong, so fix it. Signed-off-by: zhang jiao Acked-by: Serge Semin Reviewed-by: Dave Jiang Signed-off-by: Jon Mason --- drivers/ntb/hw/idt/ntb_hw_idt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c index 48dfb1a69a77..6fc9dfe82474 100644 --- a/drivers/ntb/hw/idt/ntb_hw_idt.c +++ b/drivers/ntb/hw/idt/ntb_hw_idt.c @@ -2547,7 +2547,7 @@ static void idt_deinit_dbgfs(struct idt_ntb_dev *ndev) */ /* - * idt_check_setup() - Check whether the IDT PCIe-swtich is properly + * idt_check_setup() - Check whether the IDT PCIe-switch is properly * pre-initialized * @pdev: Pointer to the PCI device descriptor * From e51aded92d42784313ba16c12f4f88cc4f973bbb Mon Sep 17 00:00:00 2001 From: Kaixin Wang Date: Tue, 10 Sep 2024 01:20:07 +0800 Subject: [PATCH 7/8] ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove. Signed-off-by: Kaixin Wang Reviewed-by: Logan Gunthorpe Signed-off-by: Jon Mason --- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c index 31946387badf..ad1786be2554 100644 --- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c @@ -1554,6 +1554,7 @@ static void switchtec_ntb_remove(struct device *dev) switchtec_ntb_deinit_db_msg_irq(sndev); switchtec_ntb_deinit_shared_mw(sndev); switchtec_ntb_deinit_crosslink(sndev); + cancel_work_sync(&sndev->check_link_status_work); kfree(sndev); dev_info(dev, "ntb device unregistered\n"); } From 061a785a114f159e990ea8ed8d1b7dca4b41120f Mon Sep 17 00:00:00 2001 From: Dave Jiang Date: Thu, 5 Sep 2024 14:22:07 -0700 Subject: [PATCH 8/8] ntb: Force physically contiguous allocation of rx ring buffers Physical addresses under IOVA on x86 platform are mapped contiguously as a side effect before the patch that removed CONFIG_DMA_REMAP. The NTB rx buffer ring is a single chunk DMA buffer that is allocated against the NTB PCI device. If the receive side is using a DMA device, then the buffers are remapped against the DMA device before being submitted via the dmaengine API. This scheme becomes a problem when the physical memory is discontiguous. When dma_map_page() is called on the kernel virtual address from the dma_alloc_coherent() call, the new IOVA mapping no longer points to all the physical memory allocated due to being discontiguous. Change dma_alloc_coherent() to dma_alloc_attrs() in order to force DMA_ATTR_FORCE_CONTIGUOUS attribute. This is the best fix for the circumstance. A potential future solution may be having the DMA mapping API providing a way to alias an existing IOVA mapping to a new device perhaps. This fix is not to fix the patch pointed to by the fixes tag, but to fix the issue arised in the ntb_transport driver on x86 platforms after the said patch is applied. Reported-by: Jerry Dai Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") Tested-by: Jerry Dai Signed-off-by: Dave Jiang Signed-off-by: Jon Mason --- drivers/ntb/ntb_transport.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c index 392a5952afd5..a22ea4a4b202 100644 --- a/drivers/ntb/ntb_transport.c +++ b/drivers/ntb/ntb_transport.c @@ -809,16 +809,29 @@ static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw) } static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw, - struct device *dma_dev, size_t align) + struct device *ntb_dev, size_t align) { dma_addr_t dma_addr; void *alloc_addr, *virt_addr; int rc; - alloc_addr = dma_alloc_coherent(dma_dev, mw->alloc_size, - &dma_addr, GFP_KERNEL); + /* + * The buffer here is allocated against the NTB device. The reason to + * use dma_alloc_*() call is to allocate a large IOVA contiguous buffer + * backing the NTB BAR for the remote host to write to. During receive + * processing, the data is being copied out of the receive buffer to + * the kernel skbuff. When a DMA device is being used, dma_map_page() + * is called on the kvaddr of the receive buffer (from dma_alloc_*()) + * and remapped against the DMA device. It appears to be a double + * DMA mapping of buffers, but first is mapped to the NTB device and + * second is to the DMA device. DMA_ATTR_FORCE_CONTIGUOUS is necessary + * in order for the later dma_map_page() to not fail. + */ + alloc_addr = dma_alloc_attrs(ntb_dev, mw->alloc_size, + &dma_addr, GFP_KERNEL, + DMA_ATTR_FORCE_CONTIGUOUS); if (!alloc_addr) { - dev_err(dma_dev, "Unable to alloc MW buff of size %zu\n", + dev_err(ntb_dev, "Unable to alloc MW buff of size %zu\n", mw->alloc_size); return -ENOMEM; } @@ -847,7 +860,7 @@ static int ntb_alloc_mw_buffer(struct ntb_transport_mw *mw, return 0; err: - dma_free_coherent(dma_dev, mw->alloc_size, alloc_addr, dma_addr); + dma_free_coherent(ntb_dev, mw->alloc_size, alloc_addr, dma_addr); return rc; }