On Tue, Jul 02, 2019 at 11:40:02AM +0100, Robin Murphy wrote: > On reflection, I don't really think that size_t fits here anyway, since > all the members of the incoming struct scatterlist are unsigned int too. > Does the patch below work?
Yes. > ----->8----- > From: Robin Murphy <[email protected]> > Subject: [PATCH] iommu/dma: Handle SG length overflow better > > Since scatterlist dimensions are all unsigned ints, in the relatively > rare cases where a device's max_segment_size is set to UINT_MAX, then > the "cur_len + s_length <= max_len" check in __finalise_sg() will always > return true. As a result, the corner case of such a device mapping an > excessively large scatterlist which is mergeable to or beyond a total > length of 4GB can lead to overflow and a bogus truncated dma_length in > the resulting segment. > > As we already assume that any single segment must be no longer than > max_len to begin with, this can easily be addressed by reshuffling the > comparison. > > Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging") > Reported-by: Nicolin Chen <[email protected]> > Signed-off-by: Robin Murphy <[email protected]> Tested-by: Nicolin Chen <[email protected]> Thank you! > --- > drivers/iommu/dma-iommu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c > index 129c4badf9ae..8de6cf623362 100644 > --- a/drivers/iommu/dma-iommu.c > +++ b/drivers/iommu/dma-iommu.c > @@ -721,7 +721,7 @@ static int __finalise_sg(struct device *dev, struct > scatterlist *sg, int nents, > * - and wouldn't make the resulting output segment too long > */ > if (cur_len && !s_iova_off && (dma_addr & seg_mask) && > - (cur_len + s_length <= max_len)) { > + (max_len - cur_len >= s_length)) { > /* ...then concatenate it with the previous one */ > cur_len += s_length; > } else { _______________________________________________ iommu mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/iommu
