From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tvrtko Ursulin Subject: [PATCH 2/4] lib/scatterlist: Avoid potential scatterlist entry overflow Date: Thu, 4 May 2017 16:54:03 +0100 Message-ID: <20170504155405.7425-2-tvrtko.ursulin@linux.intel.com> References: <20170504155405.7425-1-tvrtko.ursulin@linux.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) by gabe.freedesktop.org (Postfix) with ESMTPS id 87C046E079 for ; Thu, 4 May 2017 15:54:16 +0000 (UTC) Received: by mail-wm0-x241.google.com with SMTP id y10so4237479wmh.0 for ; Thu, 04 May 2017 08:54:16 -0700 (PDT) In-Reply-To: <20170504155405.7425-1-tvrtko.ursulin@linux.intel.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" To: Intel-gfx@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org, Masahiro Yamada , Andy Shevchenko List-Id: intel-gfx@lists.freedesktop.org RnJvbTogVHZydGtvIFVyc3VsaW4gPHR2cnRrby51cnN1bGluQGludGVsLmNvbT4KClNpbmNlIHRo ZSBzY2F0dGVybGlzdCBsZW5ndGggZmllbGQgaXMgYW4gdW5zaWduZWQgaW50LCBtYWtlCnN1cmUg dGhhdCBzZ19hbGxvY190YWJsZV9mcm9tX3BhZ2VzIGRvZXMgbm90IG92ZXJmbG93IGl0IHdoaWxl CmNvYWxsZXNjaW5nIHBhZ2VzIHRvIGEgc2luZ2xlIGVudHJ5LgoKdjI6IERyb3AgcmVmZXJlbmNl IHRvIGZ1dHVyZSB1c2UuIFVzZSBVSU5UX01BWC4KdjM6IG1heF9zZWdtZW50IG11c3QgYmUgcGFn ZSBhbGlnbmVkLgp2NDogRG8gbm90IHJlbHkgb24gY29tcGlsZXIgdG8gb3B0aW1pc2Ugb3V0IHRo ZSByb3VuZGRvd24uCiAgICAoSm9vbmFzIExhaHRpbmVuKQp2NTogU2ltcGxpZmllZCBsb29wcyBh bmQgdXNlIHBvc3QtaW5jcmVtZW50cyByYXRoZXIgdGhhbgogICAgcHJlLWluY3JlbWVudHMuIFVz ZSBQQUdFX01BU0sgYW5kIGZpeCBjb21tZW50IHR5cG8uCiAgICAoQW5keSBTaGV2Y2hlbmtvKQoK U2lnbmVkLW9mZi1ieTogVHZydGtvIFVyc3VsaW4gPHR2cnRrby51cnN1bGluQGludGVsLmNvbT4K Q2M6IE1hc2FoaXJvIFlhbWFkYSA8eWFtYWRhLm1hc2FoaXJvQHNvY2lvbmV4dC5jb20+CkNjOiBs aW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnClJldmlld2VkLWJ5OiBDaHJpcyBXaWxzb24gPGNo cmlzQGNocmlzLXdpbHNvbi5jby51az4gKHYyKQpDYzogSm9vbmFzIExhaHRpbmVuIDxqb29uYXMu bGFodGluZW5AbGludXguaW50ZWwuY29tPgpDYzogQW5keSBTaGV2Y2hlbmtvIDxhbmR5LnNoZXZj aGVua29AZ21haWwuY29tPgotLS0KIGluY2x1ZGUvbGludXgvc2NhdHRlcmxpc3QuaCB8ICA2ICsr KysrKwogbGliL3NjYXR0ZXJsaXN0LmMgICAgICAgICAgIHwgMzEgKysrKysrKysrKysrKysrKysr KystLS0tLS0tLS0tLQogMiBmaWxlcyBjaGFuZ2VkLCAyNiBpbnNlcnRpb25zKCspLCAxMSBkZWxl dGlvbnMoLSkKCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L3NjYXR0ZXJsaXN0LmggYi9pbmNs dWRlL2xpbnV4L3NjYXR0ZXJsaXN0LmgKaW5kZXggYzk4MWJlZTFhM2FlLi40NzY4ZWVlYjcwNTQg MTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvc2NhdHRlcmxpc3QuaAorKysgYi9pbmNsdWRlL2xp bnV4L3NjYXR0ZXJsaXN0LmgKQEAgLTIxLDYgKzIxLDEyIEBAIHN0cnVjdCBzY2F0dGVybGlzdCB7 CiB9OwogCiAvKgorICogU2luY2UgdGhlIGFib3ZlIGxlbmd0aCBmaWVsZCBpcyBhbiB1bnNpZ25l ZCBpbnQsIGJlbG93IHdlIGRlZmluZSB0aGUgbWF4aW11bQorICogbGVuZ3RoIGluIGJ5dGVzIHRo YXQgY2FuIGJlIHN0b3JlZCBpbiBvbmUgc2NhdHRlcmxpc3QgZW50cnkuCisgKi8KKyNkZWZpbmUg U0NBVFRFUkxJU1RfTUFYX1NFR01FTlQgKFVJTlRfTUFYICYgUEFHRV9NQVNLKQorCisvKgogICog VGhlc2UgbWFjcm9zIHNob3VsZCBiZSB1c2VkIGFmdGVyIGEgZG1hX21hcF9zZyBjYWxsIGhhcyBi ZWVuIGRvbmUKICAqIHRvIGdldCBidXMgYWRkcmVzc2VzIG9mIGVhY2ggb2YgdGhlIFNHIGVudHJp ZXMgYW5kIHRoZWlyIGxlbmd0aHMuCiAgKiBZb3Ugc2hvdWxkIG9ubHkgd29yayB3aXRoIHRoZSBu dW1iZXIgb2Ygc2cgZW50cmllcyBkbWFfbWFwX3NnCmRpZmYgLS1naXQgYS9saWIvc2NhdHRlcmxp c3QuYyBiL2xpYi9zY2F0dGVybGlzdC5jCmluZGV4IDExZjE3MmMzODNjYi4uY2E0Y2NkOGM4MGI5 IDEwMDY0NAotLS0gYS9saWIvc2NhdHRlcmxpc3QuYworKysgYi9saWIvc2NhdHRlcmxpc3QuYwpA QCAtMzk0LDE3ICszOTQsMjIgQEAgaW50IHNnX2FsbG9jX3RhYmxlX2Zyb21fcGFnZXMoc3RydWN0 IHNnX3RhYmxlICpzZ3QsCiAJdW5zaWduZWQgaW50IG9mZnNldCwgdW5zaWduZWQgbG9uZyBzaXpl LAogCWdmcF90IGdmcF9tYXNrKQogewotCXVuc2lnbmVkIGludCBjaHVua3M7Ci0JdW5zaWduZWQg aW50IGk7Ci0JdW5zaWduZWQgaW50IGN1cl9wYWdlOworCWNvbnN0IHVuc2lnbmVkIGludCBtYXhf c2VnbWVudCA9IFNDQVRURVJMSVNUX01BWF9TRUdNRU5UOworCXVuc2lnbmVkIGludCBjaHVua3Ms IGN1cl9wYWdlLCBzZWdfbGVuLCBpOwogCWludCByZXQ7CiAJc3RydWN0IHNjYXR0ZXJsaXN0ICpz OwogCiAJLyogY29tcHV0ZSBudW1iZXIgb2YgY29udGlndW91cyBjaHVua3MgKi8KIAljaHVua3Mg PSAxOwotCWZvciAoaSA9IDE7IGkgPCBuX3BhZ2VzOyArK2kpCi0JCWlmIChwYWdlX3RvX3Bmbihw YWdlc1tpXSkgIT0gcGFnZV90b19wZm4ocGFnZXNbaSAtIDFdKSArIDEpCi0JCQkrK2NodW5rczsK KwlzZWdfbGVuID0gMDsKKwlmb3IgKGkgPSAxOyBpIDwgbl9wYWdlczsgaSsrKSB7CisJCXNlZ19s ZW4gKz0gUEFHRV9TSVpFOworCQlpZiAoc2VnX2xlbiA+PSBtYXhfc2VnbWVudCB8fAorCQkgICAg cGFnZV90b19wZm4ocGFnZXNbaV0pICE9IHBhZ2VfdG9fcGZuKHBhZ2VzW2kgLSAxXSkgKyAxKSB7 CisJCQljaHVua3MrKzsKKwkJCXNlZ19sZW4gPSAwOworCQl9CisJfQogCiAJcmV0ID0gc2dfYWxs b2NfdGFibGUoc2d0LCBjaHVua3MsIGdmcF9tYXNrKTsKIAlpZiAodW5saWtlbHkocmV0KSkKQEAg LTQxMywxNyArNDE4LDIxIEBAIGludCBzZ19hbGxvY190YWJsZV9mcm9tX3BhZ2VzKHN0cnVjdCBz Z190YWJsZSAqc2d0LAogCS8qIG1lcmdpbmcgY2h1bmtzIGFuZCBwdXR0aW5nIHRoZW0gaW50byB0 aGUgc2NhdHRlcmxpc3QgKi8KIAljdXJfcGFnZSA9IDA7CiAJZm9yX2VhY2hfc2coc2d0LT5zZ2ws IHMsIHNndC0+b3JpZ19uZW50cywgaSkgewotCQl1bnNpZ25lZCBsb25nIGNodW5rX3NpemU7Ci0J CXVuc2lnbmVkIGludCBqOworCQl1bnNpZ25lZCBpbnQgaiwgY2h1bmtfc2l6ZTsKIAogCQkvKiBs b29rIGZvciB0aGUgZW5kIG9mIHRoZSBjdXJyZW50IGNodW5rICovCi0JCWZvciAoaiA9IGN1cl9w YWdlICsgMTsgaiA8IG5fcGFnZXM7ICsraikKLQkJCWlmIChwYWdlX3RvX3BmbihwYWdlc1tqXSkg IT0KKwkJc2VnX2xlbiA9IDA7CisJCWZvciAoaiA9IGN1cl9wYWdlICsgMTsgaiA8IG5fcGFnZXM7 IGorKykgeworCQkJc2VnX2xlbiArPSBQQUdFX1NJWkU7CisJCQlpZiAoc2VnX2xlbiA+PSBtYXhf c2VnbWVudCB8fAorCQkJICAgIHBhZ2VfdG9fcGZuKHBhZ2VzW2pdKSAhPQogCQkJICAgIHBhZ2Vf dG9fcGZuKHBhZ2VzW2ogLSAxXSkgKyAxKQogCQkJCWJyZWFrOworCQl9CiAKIAkJY2h1bmtfc2l6 ZSA9ICgoaiAtIGN1cl9wYWdlKSA8PCBQQUdFX1NISUZUKSAtIG9mZnNldDsKLQkJc2dfc2V0X3Bh Z2UocywgcGFnZXNbY3VyX3BhZ2VdLCBtaW4oc2l6ZSwgY2h1bmtfc2l6ZSksIG9mZnNldCk7CisJ CXNnX3NldF9wYWdlKHMsIHBhZ2VzW2N1cl9wYWdlXSwKKwkJCSAgICBtaW5fdCh1bnNpZ25lZCBs b25nLCBzaXplLCBjaHVua19zaXplKSwgb2Zmc2V0KTsKIAkJc2l6ZSAtPSBjaHVua19zaXplOwog CQlvZmZzZXQgPSAwOwogCQljdXJfcGFnZSA9IGo7Ci0tIAoyLjkuMwoKX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KSW50ZWwtZ2Z4IG1haWxpbmcgbGlzdApJ bnRlbC1nZnhAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Au b3JnL21haWxtYW4vbGlzdGluZm8vaW50ZWwtZ2Z4Cg== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754803AbdEDPzC (ORCPT ); Thu, 4 May 2017 11:55:02 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:34380 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751593AbdEDPyQ (ORCPT ); Thu, 4 May 2017 11:54:16 -0400 From: Tvrtko Ursulin X-Google-Original-From: Tvrtko Ursulin To: Intel-gfx@lists.freedesktop.org Cc: tursulin@ursulin.net, Tvrtko Ursulin , Masahiro Yamada , linux-kernel@vger.kernel.org, Joonas Lahtinen , Andy Shevchenko Subject: [PATCH 2/4] lib/scatterlist: Avoid potential scatterlist entry overflow Date: Thu, 4 May 2017 16:54:03 +0100 Message-Id: <20170504155405.7425-2-tvrtko.ursulin@linux.intel.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170504155405.7425-1-tvrtko.ursulin@linux.intel.com> References: <20170504155405.7425-1-tvrtko.ursulin@linux.intel.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tvrtko Ursulin Since the scatterlist length field is an unsigned int, make sure that sg_alloc_table_from_pages does not overflow it while coallescing pages to a single entry. v2: Drop reference to future use. Use UINT_MAX. v3: max_segment must be page aligned. v4: Do not rely on compiler to optimise out the rounddown. (Joonas Lahtinen) v5: Simplified loops and use post-increments rather than pre-increments. Use PAGE_MASK and fix comment typo. (Andy Shevchenko) Signed-off-by: Tvrtko Ursulin Cc: Masahiro Yamada Cc: linux-kernel@vger.kernel.org Reviewed-by: Chris Wilson (v2) Cc: Joonas Lahtinen Cc: Andy Shevchenko --- include/linux/scatterlist.h | 6 ++++++ lib/scatterlist.c | 31 ++++++++++++++++++++----------- 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h index c981bee1a3ae..4768eeeb7054 100644 --- a/include/linux/scatterlist.h +++ b/include/linux/scatterlist.h @@ -21,6 +21,12 @@ struct scatterlist { }; /* + * Since the above length field is an unsigned int, below we define the maximum + * length in bytes that can be stored in one scatterlist entry. + */ +#define SCATTERLIST_MAX_SEGMENT (UINT_MAX & PAGE_MASK) + +/* * These macros should be used after a dma_map_sg call has been done * to get bus addresses of each of the SG entries and their lengths. * You should only work with the number of sg entries dma_map_sg diff --git a/lib/scatterlist.c b/lib/scatterlist.c index 11f172c383cb..ca4ccd8c80b9 100644 --- a/lib/scatterlist.c +++ b/lib/scatterlist.c @@ -394,17 +394,22 @@ int sg_alloc_table_from_pages(struct sg_table *sgt, unsigned int offset, unsigned long size, gfp_t gfp_mask) { - unsigned int chunks; - unsigned int i; - unsigned int cur_page; + const unsigned int max_segment = SCATTERLIST_MAX_SEGMENT; + unsigned int chunks, cur_page, seg_len, i; int ret; struct scatterlist *s; /* compute number of contiguous chunks */ chunks = 1; - for (i = 1; i < n_pages; ++i) - if (page_to_pfn(pages[i]) != page_to_pfn(pages[i - 1]) + 1) - ++chunks; + seg_len = 0; + for (i = 1; i < n_pages; i++) { + seg_len += PAGE_SIZE; + if (seg_len >= max_segment || + page_to_pfn(pages[i]) != page_to_pfn(pages[i - 1]) + 1) { + chunks++; + seg_len = 0; + } + } ret = sg_alloc_table(sgt, chunks, gfp_mask); if (unlikely(ret)) @@ -413,17 +418,21 @@ int sg_alloc_table_from_pages(struct sg_table *sgt, /* merging chunks and putting them into the scatterlist */ cur_page = 0; for_each_sg(sgt->sgl, s, sgt->orig_nents, i) { - unsigned long chunk_size; - unsigned int j; + unsigned int j, chunk_size; /* look for the end of the current chunk */ - for (j = cur_page + 1; j < n_pages; ++j) - if (page_to_pfn(pages[j]) != + seg_len = 0; + for (j = cur_page + 1; j < n_pages; j++) { + seg_len += PAGE_SIZE; + if (seg_len >= max_segment || + page_to_pfn(pages[j]) != page_to_pfn(pages[j - 1]) + 1) break; + } chunk_size = ((j - cur_page) << PAGE_SHIFT) - offset; - sg_set_page(s, pages[cur_page], min(size, chunk_size), offset); + sg_set_page(s, pages[cur_page], + min_t(unsigned long, size, chunk_size), offset); size -= chunk_size; offset = 0; cur_page = j; -- 2.9.3