lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Apr 2017 16:31:30 +0530 From: Sricharan R <sricharan@...eaurora.org> To: Frank Rowand <frowand.list@...il.com>, robin.murphy@....com, will.deacon@....com, joro@...tes.org, lorenzo.pieralisi@....com, iommu@...ts.linux-foundation.org, linux-arm-kernel@...ts.infradead.org, linux-arm-msm@...r.kernel.org, m.szyprowski@...sung.com, bhelgaas@...gle.com, linux-pci@...r.kernel.org, linux-acpi@...r.kernel.org, tn@...ihalf.com, hanjun.guo@...aro.org, okaya@...eaurora.org, robh+dt@...nel.org, devicetree@...r.kernel.org, linux-kernel@...r.kernel.org, sudeep.holla@....com, rjw@...ysocki.net, lenb@...nel.org, catalin.marinas@....com, arnd@...db.de, linux-arch@...r.kernel.org, gregkh@...uxfoundation.org Subject: Re: [PATCH V10 06/12] of: device: Fix overflow of coherent_dma_mask Hi Frank, On 4/6/2017 12:31 PM, Frank Rowand wrote: > On 04/04/17 03:18, Sricharan R wrote: >> Size of the dma-range is calculated as coherent_dma_mask + 1 >> and passed to arch_setup_dma_ops further. It overflows when >> the coherent_dma_mask is set for full 64 bits 0xFFFFFFFFFFFFFFFF, >> resulting in size getting passed as 0 wrongly. Fix this by >> passsing in max(mask, mask + 1). Note that in this case >> when the mask is set to full 64bits, we will be passing the mask >> itself to arch_setup_dma_ops instead of the size. The real fix >> for this should be to make arch_setup_dma_ops receive the >> mask and handle it, to be done in the future. >> >> Signed-off-by: Sricharan R <sricharan@...eaurora.org> >> --- >> drivers/of/device.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/of/device.c b/drivers/of/device.c >> index c17c19d..c2ae6bb 100644 >> --- a/drivers/of/device.c >> +++ b/drivers/of/device.c >> @@ -107,7 +107,7 @@ void of_dma_configure(struct device *dev, struct device_node *np) >> ret = of_dma_get_range(np, &dma_addr, &paddr, &size); >> if (ret < 0) { >> dma_addr = offset = 0; >> - size = dev->coherent_dma_mask + 1; >> + size = max(dev->coherent_dma_mask, dev->coherent_dma_mask + 1); >> } else { >> offset = PFN_DOWN(paddr - dma_addr); >> dev_dbg(dev, "dma_pfn_offset(%#08lx)\n", offset); >> > > NACK. > > Passing an invalid size to arch_setup_dma_ops() is only part of the problem. > size is also used in of_dma_configure() before calling arch_setup_dma_ops(): > > dev->coherent_dma_mask = min(dev->coherent_dma_mask, > DMA_BIT_MASK(ilog2(dma_addr + size))); > *dev->dma_mask = min((*dev->dma_mask), > DMA_BIT_MASK(ilog2(dma_addr + size))); > > which would be incorrect for size == 0xffffffffffffffffULL when > dma_addr != 0. So the proposed fix really is not papering over > the base problem very well. > Ok, but with your fix for of_dma_get_range and the above fix, dma_addr will be '0' when size = 0xffffffffffffffffULL, but DMA_BIT_MASK(ilog2(dma_addr + size)) would be wrong though, making coherent_dma_mask to be smaller 0x7fffffffffffffffULL. Regards, Sricharan > I agree that the proper solution involves passing a mask instead > of a size to arch_setup_dma_ops(). > -- "QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation
Powered by blists - more mailing lists