From: Dan Carpenter <dan.carpenter@linaro.org>
To: Jeffrey Hugo <quic_jhugo@quicinc.com>
Cc: Carl Vanderlip <quic_carlv@quicinc.com>,
Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>,
Oded Gabbay <ogabbay@kernel.org>,
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>,
Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>,
linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH 3/5 v4] accel/qaic: Add consistent integer overflow checks
Date: Tue, 11 Jul 2023 11:21:00 +0300 [thread overview]
Message-ID: <ZK0Q7IsPkj6WSCcL@moroto> (raw)
In-Reply-To: <6e935c70-5bd2-4808-bdd9-d664f892b0b5@moroto.mountain>
The encode_dma() function has integer overflow checks. The
encode_passthrough(), encode_activate() and encode_status() functions
did not. I added integer overflow checking everywhere. I also
updated the integer overflow checking in encode_dma() to use size_add()
so everything is consistent.
Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
v2: no change
drivers/accel/qaic/qaic_control.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
index 752b67aff777..23680f5f1902 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -367,7 +367,7 @@ static int encode_passthrough(struct qaic_device *qdev, void *trans, struct wrap
if (in_trans->hdr.len % 8 != 0)
return -EINVAL;
- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_EXT_MSG_LENGTH)
+ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_EXT_MSG_LENGTH)
return -ENOSPC;
trans_wrapper = add_wrapper(wrappers,
@@ -558,12 +558,10 @@ static int encode_dma(struct qaic_device *qdev, void *trans, struct wrapper_list
msg = &wrapper->msg;
msg_hdr_len = le32_to_cpu(msg->hdr.len);
- if (msg_hdr_len > (UINT_MAX - QAIC_MANAGE_EXT_MSG_LENGTH))
- return -EINVAL;
-
/* There should be enough space to hold at least one ASP entry. */
- if (msg_hdr_len + sizeof(*out_trans) + sizeof(struct wire_addr_size_pair) >
- QAIC_MANAGE_EXT_MSG_LENGTH)
+ if (size_add(msg_hdr_len,
+ sizeof(*out_trans) + sizeof(struct wire_addr_size_pair)) >
+ QAIC_MANAGE_EXT_MSG_LENGTH)
return -ENOMEM;
if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
@@ -635,7 +633,7 @@ static int encode_activate(struct qaic_device *qdev, void *trans, struct wrapper
msg = &wrapper->msg;
msg_hdr_len = le32_to_cpu(msg->hdr.len);
- if (msg_hdr_len + sizeof(*out_trans) > QAIC_MANAGE_MAX_MSG_LENGTH)
+ if (size_add(msg_hdr_len, sizeof(*out_trans)) > QAIC_MANAGE_MAX_MSG_LENGTH)
return -ENOSPC;
if (!in_trans->queue_size)
@@ -719,7 +717,7 @@ static int encode_status(struct qaic_device *qdev, void *trans, struct wrapper_l
msg = &wrapper->msg;
msg_hdr_len = le32_to_cpu(msg->hdr.len);
- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_MAX_MSG_LENGTH)
+ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_MAX_MSG_LENGTH)
return -ENOSPC;
trans_wrapper = add_wrapper(wrappers, sizeof(*trans_wrapper));
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Jeffrey Hugo <quic_jhugo@quicinc.com>
Cc: linux-arm-msm@vger.kernel.org, Oded Gabbay <ogabbay@kernel.org>,
kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org,
Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>,
Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>,
Carl Vanderlip <quic_carlv@quicinc.com>,
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Subject: [PATCH 3/5 v4] accel/qaic: Add consistent integer overflow checks
Date: Tue, 11 Jul 2023 11:21:00 +0300 [thread overview]
Message-ID: <ZK0Q7IsPkj6WSCcL@moroto> (raw)
In-Reply-To: <6e935c70-5bd2-4808-bdd9-d664f892b0b5@moroto.mountain>
The encode_dma() function has integer overflow checks. The
encode_passthrough(), encode_activate() and encode_status() functions
did not. I added integer overflow checking everywhere. I also
updated the integer overflow checking in encode_dma() to use size_add()
so everything is consistent.
Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
v2: no change
drivers/accel/qaic/qaic_control.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
index 752b67aff777..23680f5f1902 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -367,7 +367,7 @@ static int encode_passthrough(struct qaic_device *qdev, void *trans, struct wrap
if (in_trans->hdr.len % 8 != 0)
return -EINVAL;
- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_EXT_MSG_LENGTH)
+ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_EXT_MSG_LENGTH)
return -ENOSPC;
trans_wrapper = add_wrapper(wrappers,
@@ -558,12 +558,10 @@ static int encode_dma(struct qaic_device *qdev, void *trans, struct wrapper_list
msg = &wrapper->msg;
msg_hdr_len = le32_to_cpu(msg->hdr.len);
- if (msg_hdr_len > (UINT_MAX - QAIC_MANAGE_EXT_MSG_LENGTH))
- return -EINVAL;
-
/* There should be enough space to hold at least one ASP entry. */
- if (msg_hdr_len + sizeof(*out_trans) + sizeof(struct wire_addr_size_pair) >
- QAIC_MANAGE_EXT_MSG_LENGTH)
+ if (size_add(msg_hdr_len,
+ sizeof(*out_trans) + sizeof(struct wire_addr_size_pair)) >
+ QAIC_MANAGE_EXT_MSG_LENGTH)
return -ENOMEM;
if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
@@ -635,7 +633,7 @@ static int encode_activate(struct qaic_device *qdev, void *trans, struct wrapper
msg = &wrapper->msg;
msg_hdr_len = le32_to_cpu(msg->hdr.len);
- if (msg_hdr_len + sizeof(*out_trans) > QAIC_MANAGE_MAX_MSG_LENGTH)
+ if (size_add(msg_hdr_len, sizeof(*out_trans)) > QAIC_MANAGE_MAX_MSG_LENGTH)
return -ENOSPC;
if (!in_trans->queue_size)
@@ -719,7 +717,7 @@ static int encode_status(struct qaic_device *qdev, void *trans, struct wrapper_l
msg = &wrapper->msg;
msg_hdr_len = le32_to_cpu(msg->hdr.len);
- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_MAX_MSG_LENGTH)
+ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_MAX_MSG_LENGTH)
return -ENOSPC;
trans_wrapper = add_wrapper(wrappers, sizeof(*trans_wrapper));
--
2.39.2
next prev parent reply other threads:[~2023-07-11 8:21 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-11 8:20 [PATCH 0/5 v4] accel/qaic: Improve bounds checking in encode/decode Dan Carpenter
2023-07-11 8:20 ` Dan Carpenter
2023-07-11 8:20 ` [PATCH 1/5 v4] accel/qaic: tighten bounds checking in encode_message() Dan Carpenter
2023-07-11 8:20 ` Dan Carpenter
2023-07-14 11:41 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 11:41 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 16:02 ` Jeffrey Hugo
2023-07-14 16:02 ` Jeffrey Hugo
2023-07-11 8:20 ` [PATCH 2/5 v4] accel/qaic: tighten bounds checking in decode_message() Dan Carpenter
2023-07-11 8:20 ` Dan Carpenter
2023-07-14 11:42 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 11:42 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 16:05 ` Jeffrey Hugo
2023-07-14 16:05 ` Jeffrey Hugo
2023-07-11 8:21 ` Dan Carpenter [this message]
2023-07-11 8:21 ` [PATCH 3/5 v4] accel/qaic: Add consistent integer overflow checks Dan Carpenter
2023-07-14 11:44 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 11:44 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 16:14 ` Jeffrey Hugo
2023-07-14 16:14 ` Jeffrey Hugo
2023-07-11 8:21 ` [PATCH 4/5 v4] accel/qaic: move and expand integer overflow checks for map_user_pages() Dan Carpenter
2023-07-11 8:21 ` Dan Carpenter
2023-07-14 11:46 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 11:46 ` Pranjal Ramajor Asha Kanojiya
2023-07-11 8:21 ` [PATCH 5/5 v4] accel/qaic: Fix a leak in map_user_pages() Dan Carpenter
2023-07-11 8:21 ` Dan Carpenter
2023-07-14 11:47 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 11:47 ` Pranjal Ramajor Asha Kanojiya
2023-07-14 16:17 ` Jeffrey Hugo
2023-07-14 16:17 ` Jeffrey Hugo
2023-07-11 17:33 ` [PATCH 0/5 v4] accel/qaic: Improve bounds checking in encode/decode Jeffrey Hugo
2023-07-11 17:33 ` Jeffrey Hugo
2023-07-12 6:30 ` Dan Carpenter
2023-07-12 6:30 ` Dan Carpenter
2023-07-12 14:22 ` Jeffrey Hugo
2023-07-12 14:22 ` Jeffrey Hugo
2023-08-04 14:36 ` Jeffrey Hugo
2023-08-04 14:36 ` Jeffrey Hugo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZK0Q7IsPkj6WSCcL@moroto \
--to=dan.carpenter@linaro.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=jacek.lawrynowicz@linux.intel.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=ogabbay@kernel.org \
--cc=quic_carlv@quicinc.com \
--cc=quic_jhugo@quicinc.com \
--cc=quic_pkanojiy@quicinc.com \
--cc=stanislaw.gruszka@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.