iommu/dma: Handle SG length overflow better
commit10f13d9804080db737f0b5678ac202fcbbf8e1be
authorRobin Murphy <robin.murphy@arm.com>
Mon, 29 Jul 2019 16:46:00 +0000 (29 17:46 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 6 Sep 2019 08:19:41 +0000 (6 10:19 +0200)
tree2313f1f59d8af6f85734a374bdfea270339f4d90
parent7900374c9a93f515f2ff9826bee02dd533c334e5
iommu/dma: Handle SG length overflow better

[ Upstream commit ab2cbeb0ed301a9f0460078e91b09f39958212ef ]

Since scatterlist dimensions are all unsigned ints, in the relatively
rare cases where a device's max_segment_size is set to UINT_MAX, then
the "cur_len + s_length <= max_len" check in __finalise_sg() will always
return true. As a result, the corner case of such a device mapping an
excessively large scatterlist which is mergeable to or beyond a total
length of 4GB can lead to overflow and a bogus truncated dma_length in
the resulting segment.

As we already assume that any single segment must be no longer than
max_len to begin with, this can easily be addressed by reshuffling the
comparison.

Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/iommu/dma-iommu.c