mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-03 23:58:05 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Dan Carpenter d410a96e5c accel/qaic: Clean up integer overflow checking in map_user_pages() 
[ Upstream commit 96d3c1cade ]

The encode_dma() function has some validation on in_trans->size but it
would be more clear to move those checks to find_and_map_user_pages().

The encode_dma() had two checks:

	if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
		return -EINVAL;

The in_trans->addr variable is the starting address.  The in_trans->size
variable is the total size of the transfer.  The transfer can occur in
parts and the resources->xferred_dma_size tracks how many bytes we have
already transferred.

This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans->size) minus the amount we have
already transferred (resources->xferred_dma_size).

I have modified the check for if in_trans->size is zero to instead check
if in_trans->size is less than resources->xferred_dma_size.  If we have
already transferred more bytes than in_trans->size then there are negative
bytes remaining which doesn't make sense.  If there are zero bytes
remaining to be copied, just return success.

The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts.  First check that "in_trans->addr +
resources->xferred_dma_size" is safe.  Then check that "xfer_start_addr +
remaining" is safe.

My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits.  So
I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were >= SIZE_MAX.  This will not affect 64bit
systems.

Fixes: 129776ac2e ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-08-23 17:32:45 +02:00
..
accel accel/qaic: Clean up integer overflow checking in map_user_pages() 2023-08-23 17:32:45 +02:00
accessibility
acpi ACPI: scan: Create platform device for CS35L56 2023-08-16 18:32:31 +02:00
amba
android binder: fix memory leak in binder_init() 2023-08-16 18:32:21 +02:00
ata ata: pata_ns87415: mark ns87560_tf_read static 2023-08-03 10:26:00 +02:00
atm
auxdisplay
base x86/srso: Add a Speculative RAS Overflow mitigation 2023-08-08 20:04:51 +02:00
bcma
block zram: take device and not only bvec offset into account 2023-08-16 18:32:17 +02:00
bluetooth Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally 2023-08-23 17:32:32 +02:00
bus
cdrom
cdx
char tpm_tis: Opt-in interrupts 2023-08-16 18:32:19 +02:00
clk clk: mediatek: mt8183: Add back SSPM related clocks 2023-08-11 12:14:26 +02:00
clocksource
comedi
connector
counter
cpufreq cpufreq: amd-pstate: fix global sysfs attribute type 2023-08-16 18:32:20 +02:00
cpuidle cpuidle: psci: Move enabling OSI mode after power domains creation 2023-08-16 18:32:19 +02:00
crypto
cxl cxl/acpi: Return 'rc' instead of '0' in cxl_parse_cfmws() 2023-08-03 10:25:57 +02:00
dax
dca
devfreq
dio
dma dmaengine: owl-dma: Modify mismatched function name 2023-08-16 18:32:28 +02:00
dma-buf dma-buf: fix an error pointer vs NULL bug 2023-08-03 10:26:14 +02:00
edac
eisa
extcon
firewire firewire: net: fix use after free in fwnet_finish_incoming_packet() 2023-08-23 17:32:32 +02:00
firmware firmware: arm_scmi: Drop OF node reference in the transport channel setup 2023-08-11 12:14:19 +02:00
fpga
fsi
gnss
gpio gpio: sim: mark the GPIO chip as a one that can sleep 2023-08-16 18:32:29 +02:00
gpu drm/i915/guc/slpc: Restore efficient freq earlier 2023-08-23 17:32:44 +02:00
greybus
hid HID: intel-ish-hid: ipc: Add Arrow Lake PCI device ID 2023-08-23 17:32:29 +02:00
hsi
hte
hv
hwmon hwmon: (aquacomputer_d5next) Add selective 200ms delay after sending ctrl report 2023-08-16 18:32:25 +02:00
hwspinlock
hwtracing
i2c i2c: designware: Handle invalid SMBus block data response length value 2023-08-23 17:32:39 +02:00
i3c
idle
iio iio: light: bu27034: Fix scale format 2023-08-16 18:32:23 +02:00
infiniband RDMA/bnxt_re: consider timeout of destroy ah as success. 2023-08-23 17:32:28 +02:00
input
interconnect interconnect: qcom: sm8550: add enable_mask for bcm nodes 2023-08-16 18:32:23 +02:00
iommu iommu/amd: Introduce Disable IRTE Caching Support 2023-08-23 17:32:27 +02:00
ipack
irqchip irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation 2023-08-03 10:26:09 +02:00
isdn mISDN: Update parameter type of dsp_cmx_send() 2023-08-16 18:32:25 +02:00
leds led: qcom-lpg: Fix resource leaks in for_each_available_child_of_node() loops 2023-08-23 17:32:30 +02:00
macintosh
mailbox
mcb
md dm cache policy smq: ensure IO doesn't prevent cleaner policy progress 2023-08-03 10:26:13 +02:00
media media: mtk-jpeg: Set platform driver data earlier 2023-08-23 17:32:37 +02:00
memory
memstick
message
mfd
misc misc: rtsx: judge ASPM Mode to set PETXCFG Reg 2023-08-16 18:32:21 +02:00
mmc mmc: sdhci-f-sdh30: Replace with sdhci_pltfm 2023-08-16 18:32:16 +02:00
most
mtd mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 2023-08-11 12:14:27 +02:00
mux
net net: veth: Page pool creation error handling for existing pools only 2023-08-23 17:32:45 +02:00
nfc
ntb
nubus
nvdimm
nvme nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM9B1 256G and 512G 2023-08-16 18:32:18 +02:00
nvmem
of
opp
parisc
parport
pci PCI: tegra194: Fix possible array out of bounds access 2023-08-23 17:32:25 +02:00
pcmcia pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() 2023-08-23 17:32:31 +02:00
peci
perf
phy phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() 2023-08-03 10:25:50 +02:00
pinctrl
platform ACPI: scan: Create platform device for CS35L56 2023-08-16 18:32:31 +02:00
pnp
power
powercap
pps
ps3
ptp
pwm
rapidio
ras
regulator regulator: qcom-rpmh: Fix LDO 12 regulator for PM8550 2023-08-23 17:32:35 +02:00
remoteproc
reset
rpmsg
rtc
s390 scsi: zfcp: Defer fc_rport blocking until after ADISC response 2023-08-11 12:14:19 +02:00
sbus
scsi scsi: qedf: Fix firmware halt over suspend and resume 2023-08-16 18:32:31 +02:00
sh
siox
slimbus
soc soc: imx: imx8mp-blk-ctrl: register HSIO PLL clock as bus_power_dev child 2023-08-11 12:14:07 +02:00
soundwire soundwire: fix enumeration completion 2023-08-03 10:26:10 +02:00
spi
spmi
ssb
staging staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() 2023-08-03 10:26:05 +02:00
target
tc
tee
thermal thermal: of: fix double-free on unregistration 2023-08-03 10:26:13 +02:00
thunderbolt thunderbolt: Limit Intel Barlow Ridge USB3 bandwidth 2023-08-23 17:32:32 +02:00
tty tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms 2023-08-23 17:32:38 +02:00
ufs scsi: ufs: renesas: Fix private allocation 2023-08-16 18:32:30 +02:00
uio
usb usb: chipidea: imx: add missing USB PHY DPDM wakeup setting 2023-08-23 17:32:31 +02:00
vdpa vdpa: Enable strict validation for netlinks ops 2023-08-23 17:32:38 +02:00
vfio
vhost
video fbdev: mmp: fix value check in mmphw_probe() 2023-08-23 17:32:37 +02:00
virt
virtio virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs() 2023-08-23 17:32:35 +02:00
vlynq
w1
watchdog watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub) 2023-08-23 17:32:32 +02:00
xen xen: speed up grant-table reclaim 2023-08-03 10:26:09 +02:00
zorro
Kconfig
Makefile