svn commit: r289652 - head/sys/dev/ntb/if_ntb

Tue, 20 Oct 2015 12:21:08 -0700 

Author: cem
Date: Tue Oct 20 19:20:52 2015
New Revision: 289652
URL: https://svnweb.freebsd.org/changeset/base/289652

Log:
  NTB: MFV 8c9edf63: Fix zero size or integer overflow in ntb_set_mw
  
  A plain 32 bit integer will overflow for values over 4GiB.
  
  Change the plain integer size to the appropriate size type in
  ntb_set_mw.  Change the type of the size parameter and two local
  variables used for size.
  
  Even if there is no overflow, a size of zero is invalid here.
  
  Authored by:  Allen Hubbe
  Reported by:  Juyoung Jung
  Obtained from:        Linux (Dual BSD/GPL driver)
  Sponsored by: EMC / Isilon Storage Division

Modified:
  head/sys/dev/ntb/if_ntb/if_ntb.c

Modified: head/sys/dev/ntb/if_ntb/if_ntb.c
==============================================================================
--- head/sys/dev/ntb/if_ntb/if_ntb.c    Tue Oct 20 19:20:42 2015        
(r289651)
+++ head/sys/dev/ntb/if_ntb/if_ntb.c    Tue Oct 20 19:20:52 2015        
(r289652)
@@ -295,7 +295,7 @@ static void ntb_complete_rxc(void *arg, 
 static void ntb_transport_doorbell_callback(void *data, uint32_t vector);
 static void ntb_transport_event_callback(void *data);
 static void ntb_transport_link_work(void *arg);
-static int ntb_set_mw(struct ntb_transport_ctx *, int num_mw, unsigned size);
+static int ntb_set_mw(struct ntb_transport_ctx *, int num_mw, size_t size);
 static void ntb_free_mw(struct ntb_transport_ctx *nt, int num_mw);
 static int ntb_transport_setup_qp_mw(struct ntb_transport_ctx *nt,
     unsigned int qp_num);
@@ -1266,12 +1266,15 @@ out:
 }
 
 static int
-ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, unsigned size)
+ntb_set_mw(struct ntb_transport_ctx *nt, int num_mw, size_t size)
 {
        struct ntb_transport_mw *mw = &nt->mw_vec[num_mw];
-       unsigned xlat_size, buff_size;
+       size_t xlat_size, buff_size;
        int rc;
 
+       if (size == 0)
+               return (EINVAL);
+
        xlat_size = roundup(size, mw->xlat_align_size);
        buff_size = roundup(size, mw->xlat_align);
 
@@ -1305,7 +1308,7 @@ ntb_set_mw(struct ntb_transport_ctx *nt,
         */
        if (mw->dma_addr % mw->xlat_align != 0) {
                if_printf(nt->ifp,
-                   "DMA memory 0x%jx not aligned to BAR size 0x%x\n",
+                   "DMA memory 0x%jx not aligned to BAR size 0x%zx\n",
                    (uintmax_t)mw->dma_addr, size);
                ntb_free_mw(nt, num_mw);
                return (ENOMEM);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to