From: Jason Gunthorpe <jgg@nvidia.com>
To: Joao Martins <joao.m.martins@oracle.com>
Cc: iommu@lists.linux.dev, Kevin Tian <kevin.tian@intel.com>,
Matt Ochs <mochs@nvidia.com>,
patches@lists.linux.dev, Will Deacon <will@kernel.org>,
Joerg Roedel <joro@8bytes.org>
Subject: Re: [PATCH] iommufd/selftest: Fix buffer read overrrun in the dirty test
Date: Thu, 22 Aug 2024 13:59:31 -0300 [thread overview]
Message-ID: <20240822165931.GS3773488@nvidia.com> (raw)
In-Reply-To: <e978b42b-3077-403f-a5b0-7da6b52f29d8@oracle.com>
On Thu, Aug 22, 2024 at 05:52:26PM +0100, Joao Martins wrote:
> On 22/08/2024 15:47, Jason Gunthorpe wrote:
> > diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
> > index b60687f57bef3b..c360d5a7675921 100644
> > --- a/drivers/iommu/iommufd/selftest.c
> > +++ b/drivers/iommu/iommufd/selftest.c
> > @@ -1342,7 +1342,7 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id,
> > unsigned long page_size, void __user *uptr,
> > u32 flags)
> > {
> > - unsigned long bitmap_size, i, max;
> > + unsigned long i, max;
> > struct iommu_test_cmd *cmd = ucmd->cmd;
> > struct iommufd_hw_pagetable *hwpt;
> > struct mock_iommu_domain *mock;
> > @@ -1363,15 +1363,14 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id,
> > }
> >
> > max = length / page_size;
> > - bitmap_size = DIV_ROUND_UP(max, BITS_PER_BYTE);
> > -
> > - tmp = kvzalloc(bitmap_size, GFP_KERNEL_ACCOUNT);
> > + tmp = kvzalloc(DIV_ROUND_UP(max, BITS_PER_LONG) * sizeof(unsigned long),
>
> If you keep bitmap_size then this gets to be a one-liner patch, but I assume you
> want to remove bitmap_size anyways.
Then we would technically read past the end of the user buffer..
Thanks,
Jason
next prev parent reply other threads:[~2024-08-22 16:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-22 14:47 [PATCH] iommufd/selftest: Fix buffer read overrrun in the dirty test Jason Gunthorpe
2024-08-22 16:52 ` Joao Martins
2024-08-22 16:59 ` Jason Gunthorpe [this message]
2024-08-22 17:03 ` Joao Martins
2024-08-22 17:06 ` Jason Gunthorpe
2024-08-26 6:10 ` Tian, Kevin
2024-08-27 12:47 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240822165931.GS3773488@nvidia.com \
--to=jgg@nvidia.com \
--cc=iommu@lists.linux.dev \
--cc=joao.m.martins@oracle.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=mochs@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox