From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C60CBC433DB for ; Tue, 23 Mar 2021 13:16:26 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 59E5561984 for ; Tue, 23 Mar 2021 13:16:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 59E5561984 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=jFP2CJXBFKI0W9gT2pDYfjO0Liz8D6nPVvJIzdipHyE=; b=iP8Q7ma5wjxStiizqhemiYX39I qE2hbATVLz8/KHKPGkNyX3jwuWOMNIpf+zl2p2pX81h1kSbvNQm4AzzMfUuqTwCRA/wyKONDkjnuT z7Tp2RLVK7Q4jCael9BoI6EUEBV2Fs58S36/NAqrjzFZO/6MEanOn5H40TvldZ6bJHOFIonT7lvOx Zq1+ueqyItcOptXgYQFjTrmmx1Ql88irrHrbUlUBc7k6xpMDOJaApTUvfmBgVSekysfDOeDc1mwkn K+f5EGchIHCccx8DpCKIbr5O/YiWUFSV5atRQycBUO4tDWYRBu0TLBupcc4I3aziX+SovCuzygJ38 cMNuI9tQ==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lOgrf-00F1Nt-Vw; Tue, 23 Mar 2021 13:14:32 +0000 Received: from mail.kernel.org ([198.145.29.99]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lOgrc-00F1NG-Io for linux-arm-kernel@lists.infradead.org; Tue, 23 Mar 2021 13:14:30 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id 52E7C61994; Tue, 23 Mar 2021 13:14:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1616505266; bh=VE4+YI2xIAIgMpAU9ZesbWu5To4HS1xvaH16j+iZa50=; h=From:To:Cc:Subject:Date:From; b=iBNiCVwRwpezP+rQRhalfZ3VsBExuWHJcVNxlqelqwizqnNOQ/EzG/GvSnRSpQiAG iCuQWhABkn4uxP8U473s/2qr+ceNF7ydi17brd48Bmlz2Jhh+AUBN8ryACuEPxrgIP 9kCUUktvahRE0FziRhTMCobhVp1ICs68l1Oe8oUAPDCmZoLzjcyaQg9WdL8XCU7sa4 asEAo1xCOxqkay8VPWyD13khabDTvE1NaflRR0HY7PZMVHgtyVZSnSIIyLB6Gpfro3 qwd8EQk3q74/uLzNc9BKraiT4X7jEU4HjPiBcjw2uftKI2TBgIP6wXQecvKb0PptBw gvB8M5PrUUqNg== From: Arnd Bergmann To: Russell King , Arnd Bergmann , Kyungmin Park , Marek Szyprowski Cc: Thomas Bogendoerfer , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] ARM: dma-mapping: fix out of bounds access in CMA Date: Tue, 23 Mar 2021 14:14:13 +0100 Message-Id: <20210323131423.2581218-1-arnd@kernel.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210323_131428_818821_69C55B32 X-CRM114-Status: GOOD ( 14.38 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Arnd Bergmann Dereferencing a zero-length array is always a bug, and we get a warning with 'make W=1' here: arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup': arch/arm/mm/dma-mapping.c:395:15: error: array subscript is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds] 395 | dma_mmu_remap[dma_mmu_remap_num].base = base; | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap' 389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata; | ^~~~~~~~~~~~~ arch/arm/mm/dma-mapping.c:396:15: error: array subscript is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds] Add a runtime check to prevent this from happening, while also avoiding the compile-time warning. Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem") Signed-off-by: Arnd Bergmann --- arch/arm/mm/dma-mapping.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c index c4b8df2ad328..af29344fb150 100644 --- a/arch/arm/mm/dma-mapping.c +++ b/arch/arm/mm/dma-mapping.c @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata; void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) { + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) { + WARN_ONCE(1, "number of CMA areas\n"); + return; + } + dma_mmu_remap[dma_mmu_remap_num].base = base; dma_mmu_remap[dma_mmu_remap_num].size = size; dma_mmu_remap_num++; @@ -400,6 +405,10 @@ void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) void __init dma_contiguous_remap(void) { int i; + + if (!MAX_CMA_AREAS) + return; + for (i = 0; i < dma_mmu_remap_num; i++) { phys_addr_t start = dma_mmu_remap[i].base; phys_addr_t end = start + dma_mmu_remap[i].size; -- 2.29.2 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79DC3C433E1 for ; Tue, 23 Mar 2021 13:15:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2BDD7619C1 for ; Tue, 23 Mar 2021 13:15:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231740AbhCWNPE (ORCPT ); Tue, 23 Mar 2021 09:15:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:45148 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231479AbhCWNO1 (ORCPT ); Tue, 23 Mar 2021 09:14:27 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 52E7C61994; Tue, 23 Mar 2021 13:14:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1616505266; bh=VE4+YI2xIAIgMpAU9ZesbWu5To4HS1xvaH16j+iZa50=; h=From:To:Cc:Subject:Date:From; b=iBNiCVwRwpezP+rQRhalfZ3VsBExuWHJcVNxlqelqwizqnNOQ/EzG/GvSnRSpQiAG iCuQWhABkn4uxP8U473s/2qr+ceNF7ydi17brd48Bmlz2Jhh+AUBN8ryACuEPxrgIP 9kCUUktvahRE0FziRhTMCobhVp1ICs68l1Oe8oUAPDCmZoLzjcyaQg9WdL8XCU7sa4 asEAo1xCOxqkay8VPWyD13khabDTvE1NaflRR0HY7PZMVHgtyVZSnSIIyLB6Gpfro3 qwd8EQk3q74/uLzNc9BKraiT4X7jEU4HjPiBcjw2uftKI2TBgIP6wXQecvKb0PptBw gvB8M5PrUUqNg== From: Arnd Bergmann To: Russell King , Arnd Bergmann , Kyungmin Park , Marek Szyprowski Cc: Thomas Bogendoerfer , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] ARM: dma-mapping: fix out of bounds access in CMA Date: Tue, 23 Mar 2021 14:14:13 +0100 Message-Id: <20210323131423.2581218-1-arnd@kernel.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Arnd Bergmann Dereferencing a zero-length array is always a bug, and we get a warning with 'make W=1' here: arch/arm/mm/dma-mapping.c: In function 'dma_contiguous_early_fixup': arch/arm/mm/dma-mapping.c:395:15: error: array subscript is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds] 395 | dma_mmu_remap[dma_mmu_remap_num].base = base; | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~ arch/arm/mm/dma-mapping.c:389:40: note: while referencing 'dma_mmu_remap' 389 | static struct dma_contig_early_reserve dma_mmu_remap[MAX_CMA_AREAS] __initdata; | ^~~~~~~~~~~~~ arch/arm/mm/dma-mapping.c:396:15: error: array subscript is outside array bounds of 'struct dma_contig_early_reserve[0]' [-Werror=array-bounds] Add a runtime check to prevent this from happening, while also avoiding the compile-time warning. Fixes: c79095092834 ("ARM: integrate CMA with DMA-mapping subsystem") Signed-off-by: Arnd Bergmann --- arch/arm/mm/dma-mapping.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c index c4b8df2ad328..af29344fb150 100644 --- a/arch/arm/mm/dma-mapping.c +++ b/arch/arm/mm/dma-mapping.c @@ -392,6 +392,11 @@ static int dma_mmu_remap_num __initdata; void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) { + if (!MAX_CMA_AREAS || dma_mmu_remap_num >= MAX_CMA_AREAS) { + WARN_ONCE(1, "number of CMA areas\n"); + return; + } + dma_mmu_remap[dma_mmu_remap_num].base = base; dma_mmu_remap[dma_mmu_remap_num].size = size; dma_mmu_remap_num++; @@ -400,6 +405,10 @@ void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size) void __init dma_contiguous_remap(void) { int i; + + if (!MAX_CMA_AREAS) + return; + for (i = 0; i < dma_mmu_remap_num; i++) { phys_addr_t start = dma_mmu_remap[i].base; phys_addr_t end = start + dma_mmu_remap[i].size; -- 2.29.2