From: <yf.wang@mediatek.com> To: Christoph Hellwig <hch@lst.de>, Robin Murphy <robin.murphy@arm.com>, "Marek Szyprowski" <m.szyprowski@samsung.com>, Matthias Brugger <matthias.bgg@gmail.com>, "open list:DMA MAPPING HELPERS" <iommu@lists.linux.dev>, open list <linux-kernel@vger.kernel.org>, "moderated list:ARM/Mediatek SoC support" <linux-arm-kernel@lists.infradead.org>, "moderated list:ARM/Mediatek SoC support" <linux-mediatek@lists.infradead.org> Cc: <wsd_upstream@mediatek.com>, Libo Kang <Libo.Kang@mediatek.com>, Ning Li <Ning.Li@mediatek.com>, Yong Wu <Yong.Wu@mediatek.com>, Miles Chen <miles.chen@mediatek.com>, Yunfei Wang <yf.wang@mediatek.com>, jianjiao zeng <jianjiao.zeng@mediatek.com> Subject: [PATCH] dma-debug: Fix overflow issue in bucket_find_contain Date: Sat, 30 Jul 2022 19:41:45 +0800 [thread overview] Message-ID: <20220730114146.32669-1-yf.wang@mediatek.com> (raw) From: Yunfei Wang <yf.wang@mediatek.com> There are two issue: 1. If max_rang is set to 0xFFFF_FFFF, and __hash_bucket_find always returns NULL, the rang will be accumulated. When rang is accumulated to 0xFFFF_E000, after executing rang += (1 << HASH_FN_SHIFT) again, rang will overflow to 0, making it impossible to exit the while loop. 2. dev_addr reduce maybe overflow. So, add range and dev_addr check to avoid overflow. Signed-off-by: jianjiao zeng <jianjiao.zeng@mediatek.com> Signed-off-by: Yunfei Wang <yf.wang@mediatek.com> --- kernel/dma/debug.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c index ad731f7858c9..9d7d54cd4c63 100644 --- a/kernel/dma/debug.c +++ b/kernel/dma/debug.c @@ -352,6 +352,7 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, unsigned int max_range = dma_get_max_seg_size(ref->dev); struct dma_debug_entry *entry, index = *ref; + unsigned int shift = (1 << HASH_FN_SHIFT); unsigned int range = 0; while (range <= max_range) { @@ -360,12 +361,15 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, if (entry) return entry; + if (max_range - range < shift || index.dev_addr < shift) + return NULL; + /* * Nothing found, go back a hash bucket */ put_hash_bucket(*bucket, *flags); - range += (1 << HASH_FN_SHIFT); - index.dev_addr -= (1 << HASH_FN_SHIFT); + range += shift; + index.dev_addr -= shift; *bucket = get_hash_bucket(&index, flags); } -- 2.18.0
WARNING: multiple messages have this Message-ID (diff)
From: <yf.wang@mediatek.com> To: Christoph Hellwig <hch@lst.de>, Robin Murphy <robin.murphy@arm.com>, "Marek Szyprowski" <m.szyprowski@samsung.com>, Matthias Brugger <matthias.bgg@gmail.com>, "open list:DMA MAPPING HELPERS" <iommu@lists.linux.dev>, open list <linux-kernel@vger.kernel.org>, "moderated list:ARM/Mediatek SoC support" <linux-arm-kernel@lists.infradead.org>, "moderated list:ARM/Mediatek SoC support" <linux-mediatek@lists.infradead.org> Cc: <wsd_upstream@mediatek.com>, Libo Kang <Libo.Kang@mediatek.com>, Ning Li <Ning.Li@mediatek.com>, Yong Wu <Yong.Wu@mediatek.com>, Miles Chen <miles.chen@mediatek.com>, Yunfei Wang <yf.wang@mediatek.com>, jianjiao zeng <jianjiao.zeng@mediatek.com> Subject: [PATCH] dma-debug: Fix overflow issue in bucket_find_contain Date: Sat, 30 Jul 2022 19:41:45 +0800 [thread overview] Message-ID: <20220730114146.32669-1-yf.wang@mediatek.com> (raw) From: Yunfei Wang <yf.wang@mediatek.com> There are two issue: 1. If max_rang is set to 0xFFFF_FFFF, and __hash_bucket_find always returns NULL, the rang will be accumulated. When rang is accumulated to 0xFFFF_E000, after executing rang += (1 << HASH_FN_SHIFT) again, rang will overflow to 0, making it impossible to exit the while loop. 2. dev_addr reduce maybe overflow. So, add range and dev_addr check to avoid overflow. Signed-off-by: jianjiao zeng <jianjiao.zeng@mediatek.com> Signed-off-by: Yunfei Wang <yf.wang@mediatek.com> --- kernel/dma/debug.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c index ad731f7858c9..9d7d54cd4c63 100644 --- a/kernel/dma/debug.c +++ b/kernel/dma/debug.c @@ -352,6 +352,7 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, unsigned int max_range = dma_get_max_seg_size(ref->dev); struct dma_debug_entry *entry, index = *ref; + unsigned int shift = (1 << HASH_FN_SHIFT); unsigned int range = 0; while (range <= max_range) { @@ -360,12 +361,15 @@ static struct dma_debug_entry *bucket_find_contain(struct hash_bucket **bucket, if (entry) return entry; + if (max_range - range < shift || index.dev_addr < shift) + return NULL; + /* * Nothing found, go back a hash bucket */ put_hash_bucket(*bucket, *flags); - range += (1 << HASH_FN_SHIFT); - index.dev_addr -= (1 << HASH_FN_SHIFT); + range += shift; + index.dev_addr -= shift; *bucket = get_hash_bucket(&index, flags); } -- 2.18.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2022-07-30 11:52 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-07-30 11:41 yf.wang [this message] 2022-07-30 11:41 ` [PATCH] dma-debug: Fix overflow issue in bucket_find_contain yf.wang 2022-08-01 17:57 ` Christoph Hellwig 2022-08-01 17:57 ` Christoph Hellwig 2022-08-01 18:47 ` Robin Murphy 2022-08-01 18:47 ` Robin Murphy
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220730114146.32669-1-yf.wang@mediatek.com \ --to=yf.wang@mediatek.com \ --cc=Libo.Kang@mediatek.com \ --cc=Ning.Li@mediatek.com \ --cc=Yong.Wu@mediatek.com \ --cc=hch@lst.de \ --cc=iommu@lists.linux.dev \ --cc=jianjiao.zeng@mediatek.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mediatek@lists.infradead.org \ --cc=m.szyprowski@samsung.com \ --cc=matthias.bgg@gmail.com \ --cc=miles.chen@mediatek.com \ --cc=robin.murphy@arm.com \ --cc=wsd_upstream@mediatek.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.