diff options
| author | Robin Murphy <robin.murphy@arm.com> | 2019-07-29 19:46:00 +0300 |
|---|---|---|
| committer | Joerg Roedel <jroedel@suse.de> | 2019-08-09 18:31:39 +0300 |
| commit | ab2cbeb0ed301a9f0460078e91b09f39958212ef (patch) | |
| tree | f63defbae2945d3846f20b852ccde41b9208f1b3 /Documentation/m68k | |
| parent | bfeaec7f7d2f6b09764a1b48e88e9ca3d5076419 (diff) | |
| download | linux-ab2cbeb0ed301a9f0460078e91b09f39958212ef.tar.xz | |
iommu/dma: Handle SG length overflow better
Since scatterlist dimensions are all unsigned ints, in the relatively
rare cases where a device's max_segment_size is set to UINT_MAX, then
the "cur_len + s_length <= max_len" check in __finalise_sg() will always
return true. As a result, the corner case of such a device mapping an
excessively large scatterlist which is mergeable to or beyond a total
length of 4GB can lead to overflow and a bogus truncated dma_length in
the resulting segment.
As we already assume that any single segment must be no longer than
max_len to begin with, this can easily be addressed by reshuffling the
comparison.
Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Diffstat (limited to 'Documentation/m68k')
0 files changed, 0 insertions, 0 deletions