mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-26 06:04:14 +08:00
iommu/dma: Handle SG length overflow better
Since scatterlist dimensions are all unsigned ints, in the relatively
rare cases where a device's max_segment_size is set to UINT_MAX, then
the "cur_len + s_length <= max_len" check in __finalise_sg() will always
return true. As a result, the corner case of such a device mapping an
excessively large scatterlist which is mergeable to or beyond a total
length of 4GB can lead to overflow and a bogus truncated dma_length in
the resulting segment.
As we already assume that any single segment must be no longer than
max_len to begin with, this can easily be addressed by reshuffling the
comparison.
Fixes: 809eac54cd
("iommu/dma: Implement scatterlist segment merging")
Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
This commit is contained in:
parent
bfeaec7f7d
commit
ab2cbeb0ed
@ -762,7 +762,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
|
|||||||
* - and wouldn't make the resulting output segment too long
|
* - and wouldn't make the resulting output segment too long
|
||||||
*/
|
*/
|
||||||
if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
|
if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
|
||||||
(cur_len + s_length <= max_len)) {
|
(max_len - cur_len >= s_length)) {
|
||||||
/* ...then concatenate it with the previous one */
|
/* ...then concatenate it with the previous one */
|
||||||
cur_len += s_length;
|
cur_len += s_length;
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user