* [PATCH] accel/qaic: Quiet array bounds check on DMA abort message
@ 2023-10-27 18:08 ` Jeffrey Hugo
0 siblings, 0 replies; 6+ messages in thread
From: Jeffrey Hugo @ 2023-10-27 18:08 UTC (permalink / raw)
To: quic_carlv, quic_pkanojiy, stanislaw.gruszka, ogabbay
Cc: linux-arm-msm, dri-devel, kernel test robot, Jeffrey Hugo
From: Carl Vanderlip <quic_carlv@quicinc.com>
Current wrapper is right-sized to the message being transferred;
however, this is smaller than the structure defining message wrappers
since the trailing element is a union of message/transfer headers of
various sizes (8 and 32 bytes on 32-bit system where issue was
reported). Using the smaller header with a small message
(wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
than a wrapper with the larger header. There are no accesses outside of
the defined size, however they are possible if the larger union member
is referenced.
Abort messages are outside of hot-path and changing the wrapper struct
would require a larger rewrite, so having the memory allocated to the
message be 8 bytes too big is acceptable.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/
Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
---
drivers/accel/qaic/qaic_control.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
index 388abd40024b..84915824be54 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -1138,7 +1138,7 @@ static int abort_dma_cont(struct qaic_device *qdev, struct wrapper_list *wrapper
if (!list_is_first(&wrapper->list, &wrappers->list))
kref_put(&wrapper->ref_count, free_wrapper);
- wrapper = add_wrapper(wrappers, offsetof(struct wrapper_msg, trans) + sizeof(*out_trans));
+ wrapper = add_wrapper(wrappers, sizeof(*wrapper));
if (!wrapper)
return -ENOMEM;
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] accel/qaic: Quiet array bounds check on DMA abort message
@ 2023-10-27 18:08 ` Jeffrey Hugo
0 siblings, 0 replies; 6+ messages in thread
From: Jeffrey Hugo @ 2023-10-27 18:08 UTC (permalink / raw)
To: quic_carlv, quic_pkanojiy, stanislaw.gruszka, ogabbay
Cc: linux-arm-msm, Jeffrey Hugo, kernel test robot, dri-devel
From: Carl Vanderlip <quic_carlv@quicinc.com>
Current wrapper is right-sized to the message being transferred;
however, this is smaller than the structure defining message wrappers
since the trailing element is a union of message/transfer headers of
various sizes (8 and 32 bytes on 32-bit system where issue was
reported). Using the smaller header with a small message
(wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
than a wrapper with the larger header. There are no accesses outside of
the defined size, however they are possible if the larger union member
is referenced.
Abort messages are outside of hot-path and changing the wrapper struct
would require a larger rewrite, so having the memory allocated to the
message be 8 bytes too big is acceptable.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/
Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
---
drivers/accel/qaic/qaic_control.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
index 388abd40024b..84915824be54 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -1138,7 +1138,7 @@ static int abort_dma_cont(struct qaic_device *qdev, struct wrapper_list *wrapper
if (!list_is_first(&wrapper->list, &wrappers->list))
kref_put(&wrapper->ref_count, free_wrapper);
- wrapper = add_wrapper(wrappers, offsetof(struct wrapper_msg, trans) + sizeof(*out_trans));
+ wrapper = add_wrapper(wrappers, sizeof(*wrapper));
if (!wrapper)
return -ENOMEM;
--
2.40.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] accel/qaic: Quiet array bounds check on DMA abort message
2023-10-27 18:08 ` Jeffrey Hugo
@ 2023-10-30 6:43 ` Stanislaw Gruszka
-1 siblings, 0 replies; 6+ messages in thread
From: Stanislaw Gruszka @ 2023-10-30 6:43 UTC (permalink / raw)
To: Jeffrey Hugo
Cc: quic_carlv, quic_pkanojiy, ogabbay, linux-arm-msm, dri-devel,
kernel test robot
On Fri, Oct 27, 2023 at 12:08:10PM -0600, Jeffrey Hugo wrote:
> From: Carl Vanderlip <quic_carlv@quicinc.com>
>
> Current wrapper is right-sized to the message being transferred;
> however, this is smaller than the structure defining message wrappers
> since the trailing element is a union of message/transfer headers of
> various sizes (8 and 32 bytes on 32-bit system where issue was
> reported). Using the smaller header with a small message
> (wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
> than a wrapper with the larger header. There are no accesses outside of
> the defined size, however they are possible if the larger union member
> is referenced.
>
> Abort messages are outside of hot-path and changing the wrapper struct
> would require a larger rewrite, so having the memory allocated to the
> message be 8 bytes too big is acceptable.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/
> Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
> Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
> Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
> Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] accel/qaic: Quiet array bounds check on DMA abort message
@ 2023-10-30 6:43 ` Stanislaw Gruszka
0 siblings, 0 replies; 6+ messages in thread
From: Stanislaw Gruszka @ 2023-10-30 6:43 UTC (permalink / raw)
To: Jeffrey Hugo
Cc: kernel test robot, linux-arm-msm, ogabbay, dri-devel,
quic_pkanojiy, quic_carlv
On Fri, Oct 27, 2023 at 12:08:10PM -0600, Jeffrey Hugo wrote:
> From: Carl Vanderlip <quic_carlv@quicinc.com>
>
> Current wrapper is right-sized to the message being transferred;
> however, this is smaller than the structure defining message wrappers
> since the trailing element is a union of message/transfer headers of
> various sizes (8 and 32 bytes on 32-bit system where issue was
> reported). Using the smaller header with a small message
> (wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
> than a wrapper with the larger header. There are no accesses outside of
> the defined size, however they are possible if the larger union member
> is referenced.
>
> Abort messages are outside of hot-path and changing the wrapper struct
> would require a larger rewrite, so having the memory allocated to the
> message be 8 bytes too big is acceptable.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/
> Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
> Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
> Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
> Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] accel/qaic: Quiet array bounds check on DMA abort message
2023-10-27 18:08 ` Jeffrey Hugo
@ 2023-11-03 15:02 ` Jeffrey Hugo
-1 siblings, 0 replies; 6+ messages in thread
From: Jeffrey Hugo @ 2023-11-03 15:02 UTC (permalink / raw)
To: quic_carlv, quic_pkanojiy, stanislaw.gruszka, ogabbay
Cc: linux-arm-msm, dri-devel, kernel test robot
On 10/27/2023 12:08 PM, Jeffrey Hugo wrote:
> From: Carl Vanderlip <quic_carlv@quicinc.com>
>
> Current wrapper is right-sized to the message being transferred;
> however, this is smaller than the structure defining message wrappers
> since the trailing element is a union of message/transfer headers of
> various sizes (8 and 32 bytes on 32-bit system where issue was
> reported). Using the smaller header with a small message
> (wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
> than a wrapper with the larger header. There are no accesses outside of
> the defined size, however they are possible if the larger union member
> is referenced.
>
> Abort messages are outside of hot-path and changing the wrapper struct
> would require a larger rewrite, so having the memory allocated to the
> message be 8 bytes too big is acceptable.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/
> Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
> Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
> Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
> Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Pushed to drm-misc-next
-Jeff
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] accel/qaic: Quiet array bounds check on DMA abort message
@ 2023-11-03 15:02 ` Jeffrey Hugo
0 siblings, 0 replies; 6+ messages in thread
From: Jeffrey Hugo @ 2023-11-03 15:02 UTC (permalink / raw)
To: quic_carlv, quic_pkanojiy, stanislaw.gruszka, ogabbay
Cc: linux-arm-msm, kernel test robot, dri-devel
On 10/27/2023 12:08 PM, Jeffrey Hugo wrote:
> From: Carl Vanderlip <quic_carlv@quicinc.com>
>
> Current wrapper is right-sized to the message being transferred;
> however, this is smaller than the structure defining message wrappers
> since the trailing element is a union of message/transfer headers of
> various sizes (8 and 32 bytes on 32-bit system where issue was
> reported). Using the smaller header with a small message
> (wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
> than a wrapper with the larger header. There are no accesses outside of
> the defined size, however they are possible if the larger union member
> is referenced.
>
> Abort messages are outside of hot-path and changing the wrapper struct
> would require a larger rewrite, so having the memory allocated to the
> message be 8 bytes too big is acceptable.
>
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/
> Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
> Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
> Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
> Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Pushed to drm-misc-next
-Jeff
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-11-03 15:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-27 18:08 [PATCH] accel/qaic: Quiet array bounds check on DMA abort message Jeffrey Hugo
2023-10-27 18:08 ` Jeffrey Hugo
2023-10-30 6:43 ` Stanislaw Gruszka
2023-10-30 6:43 ` Stanislaw Gruszka
2023-11-03 15:02 ` Jeffrey Hugo
2023-11-03 15:02 ` Jeffrey Hugo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.