In __iommu_dma_alloc_noncontiguous() the value returned by
iommu_map_sg_atomic() is checked for being smaller than size. Before
commit ad8f36e4b6b1 ("iommu: return full error code from
iommu_map_sg[_atomic]()") this simply checked if the requested size was
successfully mapped.
After that commit iommu_map_sg_atomic() may also return a negative
error value. In principle this too would be covered by the existing
check. There is one problem however, as size is of type size_t while the
return type of iommu_map_sg_atomic() is now of type ssize_t the latter gets
converted to size_t and negative error values end up as very large
positive values making the check succeed. Fix this by making the return
type visible with a local variable and add an explicit cast to ssize_t.
Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
Cc: [email protected]
Signed-off-by: Niklas Schnelle <[email protected]>
---
drivers/iommu/dma-iommu.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
index 09f6e1c0f9c0..b4fcf1d92994 100644
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -776,6 +776,7 @@ static struct page **__iommu_dma_alloc_noncontiguous(struct device *dev,
unsigned int count, min_size, alloc_sizes = domain->pgsize_bitmap;
struct page **pages;
dma_addr_t iova;
+ ssize_t mapped;
if (static_branch_unlikely(&iommu_deferred_attach_enabled) &&
iommu_deferred_attach(dev, domain))
@@ -813,8 +814,8 @@ static struct page **__iommu_dma_alloc_noncontiguous(struct device *dev,
arch_dma_prep_coherent(sg_page(sg), sg->length);
}
- if (iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot)
- < size)
+ mapped = iommu_map_sg_atomic(domain, iova, sgt->sgl, sgt->orig_nents, ioprot);
+ if (mapped < (ssize_t)size)
goto out_free_sg;
sgt->sgl->dma_address = iova;
--
2.32.0
On Tue, 2022-05-17 at 10:36 +0200, Christoph Hellwig wrote:
> On Fri, May 13, 2022 at 05:39:48PM +0200, Niklas Schnelle wrote:
> > In __iommu_dma_alloc_noncontiguous() the value returned by
> > iommu_map_sg_atomic() is checked for being smaller than size. Before
> > commit ad8f36e4b6b1 ("iommu: return full error code from
> > iommu_map_sg[_atomic]()") this simply checked if the requested size was
> > successfully mapped.
> >
> > After that commit iommu_map_sg_atomic() may also return a negative
> > error value. In principle this too would be covered by the existing
> > check. There is one problem however, as size is of type size_t while the
> > return type of iommu_map_sg_atomic() is now of type ssize_t the latter gets
> > converted to size_t and negative error values end up as very large
> > positive values making the check succeed. Fix this by making the return
> > type visible with a local variable and add an explicit cast to ssize_t.
> >
> > Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
> > Cc: [email protected]
> > Signed-off-by: Niklas Schnelle <[email protected]>
>
> I don't see what the point of the newly added local variable is here.
> Just casting size should be all that is needed as far as I can tell.
No technical reason just found it easier to read and more descriptive.
I'll sent a v2 with just the cast, it does simplify the commit message.
On Fri, May 13, 2022 at 05:39:48PM +0200, Niklas Schnelle wrote:
> In __iommu_dma_alloc_noncontiguous() the value returned by
> iommu_map_sg_atomic() is checked for being smaller than size. Before
> commit ad8f36e4b6b1 ("iommu: return full error code from
> iommu_map_sg[_atomic]()") this simply checked if the requested size was
> successfully mapped.
>
> After that commit iommu_map_sg_atomic() may also return a negative
> error value. In principle this too would be covered by the existing
> check. There is one problem however, as size is of type size_t while the
> return type of iommu_map_sg_atomic() is now of type ssize_t the latter gets
> converted to size_t and negative error values end up as very large
> positive values making the check succeed. Fix this by making the return
> type visible with a local variable and add an explicit cast to ssize_t.
>
> Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
> Cc: [email protected]
> Signed-off-by: Niklas Schnelle <[email protected]>
I don't see what the point of the newly added local variable is here.
Just casting size should be all that is needed as far as I can tell.
On 2022-05-17 11:17, Niklas Schnelle wrote:
> On Tue, 2022-05-17 at 10:36 +0200, Christoph Hellwig wrote:
>> On Fri, May 13, 2022 at 05:39:48PM +0200, Niklas Schnelle wrote:
>>> In __iommu_dma_alloc_noncontiguous() the value returned by
>>> iommu_map_sg_atomic() is checked for being smaller than size. Before
>>> commit ad8f36e4b6b1 ("iommu: return full error code from
>>> iommu_map_sg[_atomic]()") this simply checked if the requested size was
>>> successfully mapped.
>>>
>>> After that commit iommu_map_sg_atomic() may also return a negative
>>> error value. In principle this too would be covered by the existing
>>> check. There is one problem however, as size is of type size_t while the
>>> return type of iommu_map_sg_atomic() is now of type ssize_t the latter gets
>>> converted to size_t and negative error values end up as very large
>>> positive values making the check succeed. Fix this by making the return
>>> type visible with a local variable and add an explicit cast to ssize_t.
>>>
>>> Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
>>> Cc: [email protected]
>>> Signed-off-by: Niklas Schnelle <[email protected]>
>>
>> I don't see what the point of the newly added local variable is here.
>> Just casting size should be all that is needed as far as I can tell.
>
> No technical reason just found it easier to read and more descriptive.
> I'll sent a v2 with just the cast, it does simplify the commit message.
Note that this is already fixed upstream, though:
https://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu.git/commit/?h=core&id=a3884774d731f03d3a3dd4fb70ec2d9341ceb39d
Robin.
On Tue, 2022-05-17 at 11:18 +0100, Robin Murphy wrote:
> On 2022-05-17 11:17, Niklas Schnelle wrote:
> > On Tue, 2022-05-17 at 10:36 +0200, Christoph Hellwig wrote:
> > > On Fri, May 13, 2022 at 05:39:48PM +0200, Niklas Schnelle wrote:
> > > > In __iommu_dma_alloc_noncontiguous() the value returned by
> > > > iommu_map_sg_atomic() is checked for being smaller than size. Before
> > > > commit ad8f36e4b6b1 ("iommu: return full error code from
> > > > iommu_map_sg[_atomic]()") this simply checked if the requested size was
> > > > successfully mapped.
> > > >
> > > > After that commit iommu_map_sg_atomic() may also return a negative
> > > > error value. In principle this too would be covered by the existing
> > > > check. There is one problem however, as size is of type size_t while the
> > > > return type of iommu_map_sg_atomic() is now of type ssize_t the latter gets
> > > > converted to size_t and negative error values end up as very large
> > > > positive values making the check succeed. Fix this by making the return
> > > > type visible with a local variable and add an explicit cast to ssize_t.
> > > >
> > > > Fixes: ad8f36e4b6b1 ("iommu: return full error code from iommu_map_sg[_atomic]()")
> > > > Cc: [email protected]
> > > > Signed-off-by: Niklas Schnelle <[email protected]>
> > >
> > > I don't see what the point of the newly added local variable is here.
> > > Just casting size should be all that is needed as far as I can tell.
> >
> > No technical reason just found it easier to read and more descriptive.
> > I'll sent a v2 with just the cast, it does simplify the commit message.
>
> Note that this is already fixed upstream, though:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu.git/commit/?h=core&id=a3884774d731f03d3a3dd4fb70ec2d9341ceb39d
>
> Robin.
Ah oh well then nevermind and you can of course also ignore the v2 I
sent out a minute ago.