• Robin Murphy's avatar
    iommu/dma: Handle SG length overflow better · ab2cbeb0
    Robin Murphy authored
    Since scatterlist dimensions are all unsigned ints, in the relatively
    rare cases where a device's max_segment_size is set to UINT_MAX, then
    the "cur_len + s_length <= max_len" check in __finalise_sg() will always
    return true. As a result, the corner case of such a device mapping an
    excessively large scatterlist which is mergeable to or beyond a total
    length of 4GB can lead to overflow and a bogus truncated dma_length in
    the resulting segment.
    
    As we already assume that any single segment must be no longer than
    max_len to begin with, this can easily be addressed by reshuffling the
    comparison.
    
    Fixes: 809eac54 ("iommu/dma: Implement scatterlist segment merging")
    Reported-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
    Tested-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
    Signed-off-by: default avatarRobin Murphy <robin.murphy@arm.com>
    Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
    ab2cbeb0
dma-iommu.c 33.8 KB