diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2023-08-10 15:23:06 +0300 | 
|---|---|---|
| committer | Jeffrey Hugo <quic_jhugo@quicinc.com> | 2023-08-15 09:51:13 -0600 | 
| commit | 96d3c1cadedb6ae2e8965e19cd12caa244afbd9c (patch) | |
| tree | 16ea96d0f50131e5280d52ad7bd9d5e485b9e096 /tools/testing/selftests/bpf/prog_tests/helper_restricted.c | |
| parent | 2d956177b7c96e62fac762a3b7da4318cde27a73 (diff) | |
accel/qaic: Clean up integer overflow checking in map_user_pages()
The encode_dma() function has some validation on in_trans->size but it
would be more clear to move those checks to find_and_map_user_pages().
The encode_dma() had two checks:
	if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
		return -EINVAL;
The in_trans->addr variable is the starting address.  The in_trans->size
variable is the total size of the transfer.  The transfer can occur in
parts and the resources->xferred_dma_size tracks how many bytes we have
already transferred.
This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans->size) minus the amount we have
already transferred (resources->xferred_dma_size).
I have modified the check for if in_trans->size is zero to instead check
if in_trans->size is less than resources->xferred_dma_size.  If we have
already transferred more bytes than in_trans->size then there are negative
bytes remaining which doesn't make sense.  If there are zero bytes
remaining to be copied, just return success.
The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts.  First check that "in_trans->addr +
resources->xferred_dma_size" is safe.  Then check that "xfer_start_addr +
remaining" is safe.
My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits.  So
I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were >= SIZE_MAX.  This will not affect 64bit
systems.
Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Link: https://patchwork.freedesktop.org/patch/msgid/24d3348b-25ac-4c1b-b171-9dae7c43e4e0@moroto.mountain
Diffstat (limited to 'tools/testing/selftests/bpf/prog_tests/helper_restricted.c')
0 files changed, 0 insertions, 0 deletions
