From: will.deacon@arm.com (Will Deacon)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] ARM: mm: fix the boundary checking on bitmaps
Date: Thu, 10 Jul 2014 12:12:59 +0100 [thread overview]
Message-ID: <20140710111259.GL2449@arm.com> (raw)
In-Reply-To: <1404959313-15198-1-git-send-email-haojian.zhuang@linaro.org>
On Thu, Jul 10, 2014 at 03:28:33AM +0100, Haojian Zhuang wrote:
> The issue of boundary checking on bitmaps is introduced by this commit
> in below.
>
> commit 4d852ef8c2544ce21ae41414099a7504c61164a0
> Author: Andreas Herrmann <andreas.herrmann@calxeda.com>
> Date: Tue Feb 25 13:09:53 2014 +0100
>
> arm: dma-mapping: Add support to extend DMA IOMMU mappings
>
> Multiple bitmaps were introduced as extension. If it needs to extend
> a bitmap, it still check whether the allocation exceeding the total
> size, not current bitmap size. So change the condition from
> mapping->bits to PAGE_SIZE.
>
> Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
> ---
> arch/arm/mm/dma-mapping.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index 4c88935..d7da5c3 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -1089,9 +1089,9 @@ static inline dma_addr_t __alloc_iova(struct dma_iommu_mapping *mapping,
> spin_lock_irqsave(&mapping->lock, flags);
> for (i = 0; i < mapping->nr_bitmaps; i++) {
> start = bitmap_find_next_zero_area(mapping->bitmaps[i],
> - mapping->bits, 0, count, align);
> + PAGE_SIZE, 0, count, align);
I'm probably just missing something, but what guarantees that the bitmap is
PAGE_SIZE? It looks to me like we could easily go off the end of the bitmap
if arm_iommu_create_mapping is called with a small size parameter.
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will.deacon@arm.com>
To: Haojian Zhuang <haojian.zhuang@linaro.org>
Cc: "linux@arm.linux.org.uk" <linux@arm.linux.org.uk>,
"m.szyprowski@samsung.com" <m.szyprowski@samsung.com>,
"andreas.herrmann@calxeda.com" <andreas.herrmann@calxeda.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ARM: mm: fix the boundary checking on bitmaps
Date: Thu, 10 Jul 2014 12:12:59 +0100 [thread overview]
Message-ID: <20140710111259.GL2449@arm.com> (raw)
In-Reply-To: <1404959313-15198-1-git-send-email-haojian.zhuang@linaro.org>
On Thu, Jul 10, 2014 at 03:28:33AM +0100, Haojian Zhuang wrote:
> The issue of boundary checking on bitmaps is introduced by this commit
> in below.
>
> commit 4d852ef8c2544ce21ae41414099a7504c61164a0
> Author: Andreas Herrmann <andreas.herrmann@calxeda.com>
> Date: Tue Feb 25 13:09:53 2014 +0100
>
> arm: dma-mapping: Add support to extend DMA IOMMU mappings
>
> Multiple bitmaps were introduced as extension. If it needs to extend
> a bitmap, it still check whether the allocation exceeding the total
> size, not current bitmap size. So change the condition from
> mapping->bits to PAGE_SIZE.
>
> Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
> ---
> arch/arm/mm/dma-mapping.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
> index 4c88935..d7da5c3 100644
> --- a/arch/arm/mm/dma-mapping.c
> +++ b/arch/arm/mm/dma-mapping.c
> @@ -1089,9 +1089,9 @@ static inline dma_addr_t __alloc_iova(struct dma_iommu_mapping *mapping,
> spin_lock_irqsave(&mapping->lock, flags);
> for (i = 0; i < mapping->nr_bitmaps; i++) {
> start = bitmap_find_next_zero_area(mapping->bitmaps[i],
> - mapping->bits, 0, count, align);
> + PAGE_SIZE, 0, count, align);
I'm probably just missing something, but what guarantees that the bitmap is
PAGE_SIZE? It looks to me like we could easily go off the end of the bitmap
if arm_iommu_create_mapping is called with a small size parameter.
Will
next prev parent reply other threads:[~2014-07-10 11:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-10 2:28 [PATCH] ARM: mm: fix the boundary checking on bitmaps Haojian Zhuang
2014-07-10 2:28 ` Haojian Zhuang
2014-07-10 11:12 ` Will Deacon [this message]
2014-07-10 11:12 ` Will Deacon
2014-07-14 13:02 ` Marek Szyprowski
2014-07-14 13:02 ` Marek Szyprowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140710111259.GL2449@arm.com \
--to=will.deacon@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.