Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoerg Roedel <jroedel@suse.de>2019-08-19 10:09:20 +0200
committerJoerg Roedel <jroedel@suse.de>2019-08-19 10:09:20 +0200
commitaa7828b343e6ff7c25fac06bb534ced3e6424e76 (patch)
treee1790c9b60886e82af2e2edcd5231fca559d62af
parent1780c7cfc0c3342dc388e1a7e0db5e9b72800d93 (diff)
iommu/dma: Handle SG length overflow better (bsc#1146084).SLE15
-rw-r--r--patches.drivers/iommu-dma-handle-sg-length-overflow-better42
-rw-r--r--series.conf1
2 files changed, 43 insertions, 0 deletions
diff --git a/patches.drivers/iommu-dma-handle-sg-length-overflow-better b/patches.drivers/iommu-dma-handle-sg-length-overflow-better
new file mode 100644
index 0000000000..9a978e6c60
--- /dev/null
+++ b/patches.drivers/iommu-dma-handle-sg-length-overflow-better
@@ -0,0 +1,42 @@
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Mon, 29 Jul 2019 17:46:00 +0100
+Subject: iommu/dma: Handle SG length overflow better
+Git-commit: ab2cbeb0ed301a9f0460078e91b09f39958212ef
+Patch-mainline: v5.3-rc5
+References: bsc#1146084
+
+Since scatterlist dimensions are all unsigned ints, in the relatively
+rare cases where a device's max_segment_size is set to UINT_MAX, then
+the "cur_len + s_length <= max_len" check in __finalise_sg() will always
+return true. As a result, the corner case of such a device mapping an
+excessively large scatterlist which is mergeable to or beyond a total
+length of 4GB can lead to overflow and a bogus truncated dma_length in
+the resulting segment.
+
+As we already assume that any single segment must be no longer than
+max_len to begin with, this can easily be addressed by reshuffling the
+comparison.
+
+Fixes: 809eac54cdd6 ("iommu/dma: Implement scatterlist segment merging")
+Reported-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Tested-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/dma-iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
+index 6441197a75ea..4ea9cf02ba2d 100644
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -762,7 +762,7 @@ static int __finalise_sg(struct device *dev, struct scatterlist *sg, int nents,
+ * - and wouldn't make the resulting output segment too long
+ */
+ if (cur_len && !s_iova_off && (dma_addr & seg_mask) &&
+- (cur_len + s_length <= max_len)) {
++ (max_len - cur_len >= s_length)) {
+ /* ...then concatenate it with the previous one */
+ cur_len += s_length;
+ } else {
+
diff --git a/series.conf b/series.conf
index 685723ca1c..b5139daad0 100644
--- a/series.conf
+++ b/series.conf
@@ -23398,6 +23398,7 @@
patches.drivers/usb-iowarrior-fix-deadlock-on-disconnect.patch
patches.drivers/iio-adc-max9611-Fix-misuse-of-GENMASK-macro.patch
patches.fixes/driver_core-Fix_use-after-free_and_double_free_on_glue.patch
+ patches.drivers/iommu-dma-handle-sg-length-overflow-better
patches.drivers/ALSA-hda-Apply-workaround-for-another-AMD-chip-1022-.patch
patches.drivers/ALSA-hda-Fix-a-memory-leak-bug.patch
patches.drivers/ALSA-hda-Let-all-conexant-codec-enter-D3-when-reboot.patch