Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp345271pxk;
        Thu, 3 Sep 2020 00:50:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyFYScZ/8kovnyV/49rrPv78yZSc6hi9TDH1ALWtBaXllRgm7pTStBF9JTqJqyahCY62az6
X-Received: by 2002:a50:8c66:: with SMTP id p93mr1825219edp.156.1599119456026;
        Thu, 03 Sep 2020 00:50:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599119456; cv=none;
        d=google.com; s=arc-20160816;
        b=jBb5dHzI03R6fiQP+D+5IrtvTFwtp/Q4rhnnpIfmrY6y3z1SFe0gxVeE2qRt8OqCHv
         joFO/ky9mxBVe+G1nXWwuKcSnSHABdKh+HMIMzEDPRi21gg1Yj5P/7tqQkZcqRkTQJ+H
         Oo4cHzaIh5jVFRql8vxO/lcj7Feav/lP86ka8B+NnAeuYjNrCTD88KiR/lG35043gqzR
         Y92k4d5c/gmiMNTVX6LXqsU/RHYJBKGqv7XaYpdO2HFKkZv5S7u0yIIU5IpSWh7i2mZJ
         W1w/eVC2Azz1bPnIdNzpAhKdx605ppPaqb5eyPfIo7yunOxWBJhIaJYBBdhlqEFO/Ey8
         Qv2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:dkim-signature:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=h2YtYK7X/8q5C0J8GcJkvpLDMTqz+dYhXOto+gkI9M0=;
        b=yMDwDcUs7d2gFIyLcGbnnyClO8N7ig6GKceMYHkcir/qA8q1PYmxE44nmj3rFDK1/W
         Rj18n3DeninULcQPJCMmD7TsE85F9T67PxkTcifphH1YfB2Z16OohNtFeV3DtF6eCirp
         p3Sw1gXS0q7qltife4PyKJxaFgXZSQP1OMkqJWPo06whdE1PYW68aeg493bEHDOuq7xT
         toAiOa0f3GS4IGy5x86xCSevUSA0cgv/qJQ+XM8TGm5BybZGbCI2HmWmd6GlJDbfSLz8
         rrfCjTqiq6Jl9Uy2wBNe2YfMU+ZadgFQ02UsBy0E3iNLsimsOyxy/gjpayzokNXSIwvn
         x6nA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@nvidia.com header.s=n1 header.b=StoEJz9i;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m12si1230779eds.71.2020.09.03.00.50.30;
        Thu, 03 Sep 2020 00:50:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nvidia.com header.s=n1 header.b=StoEJz9i;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728015AbgICHtt (ORCPT <rfc822;crosarcplusplustest@gmail.com>
        + 99 others); Thu, 3 Sep 2020 03:49:49 -0400
Received: from hqnvemgate25.nvidia.com ([216.228.121.64]:9777 "EHLO
        hqnvemgate25.nvidia.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726814AbgICHts (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 3 Sep 2020 03:49:48 -0400
Received: from hqpgpgate101.nvidia.com (Not Verified[216.228.121.13]) by hqnvemgate25.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA)
        id <B5f509fec0000>; Thu, 03 Sep 2020 00:49:00 -0700
Received: from hqmail.nvidia.com ([172.20.161.6])
  by hqpgpgate101.nvidia.com (PGP Universal service);
  Thu, 03 Sep 2020 00:49:47 -0700
X-PGP-Universal: processed;
        by hqpgpgate101.nvidia.com on Thu, 03 Sep 2020 00:49:47 -0700
Received: from [10.2.53.12] (10.124.1.5) by HQMAIL107.nvidia.com
 (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 3 Sep
 2020 07:49:47 +0000
Subject: Re: [PATCH 16/38] media: videobuf-dma-sg: number of pages should be
 unsigned long
To:     Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
CC:     Andrew Morton <akpm@linux-foundation.org>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        Michel Lespinasse <walken@google.com>,
        Mike Rapoport <rppt@kernel.org>, <linux-media@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>
References: <cover.1599062230.git.mchehab+huawei@kernel.org>
 <a57a3584ccc16f33b2e6e8a850b7cb7cf029dfb6.1599062230.git.mchehab+huawei@kernel.org>
From:   John Hubbard <jhubbard@nvidia.com>
Message-ID: <29cbe38a-4094-5d60-9f85-050bb44febcc@nvidia.com>
Date:   Thu, 3 Sep 2020 00:49:47 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <a57a3584ccc16f33b2e6e8a850b7cb7cf029dfb6.1599062230.git.mchehab+huawei@kernel.org>
X-Originating-IP: [10.124.1.5]
X-ClientProxiedBy: HQMAIL105.nvidia.com (172.20.187.12) To
 HQMAIL107.nvidia.com (172.20.187.13)
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1;
        t=1599119340; bh=h2YtYK7X/8q5C0J8GcJkvpLDMTqz+dYhXOto+gkI9M0=;
        h=X-PGP-Universal:Subject:To:CC:References:From:Message-ID:Date:
         User-Agent:MIME-Version:In-Reply-To:X-Originating-IP:
         X-ClientProxiedBy:Content-Type:Content-Language:
         Content-Transfer-Encoding;
        b=StoEJz9iReMvZwUWoJPzLDURYq36XjxdX0hehx0H3TQYOUtozau3fLiE24n5XClNA
         ewK9DL8Nr3NSo5qkdaRNBJq+nGrCeHq8N7jPvSUezeqX+WXTq9cohG+FcBzRYgNgQR
         T5wzmgZGEIuk48fyBbNS9tPt4flECSVn1+xaV2OcpZ+jXivNfdJidtnfuxylTC+soy
         L84gmlGpqVVlALWKfC1tn3jY0u7P7cwxj2FNP3N1WCEtQnGEs/Kw4GGb0iq41OY/th
         eDtzPslAdNwT8+I+bKdycacU0PEfbcmIHw/maCPnOLKSDLcWKKsyJ+DnoZyE2ZyR/T
         70hp5hBYErUvw==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 9/2/20 9:10 AM, Mauro Carvalho Chehab wrote:
> As reported by smatch:
> 
> 	drivers/media/v4l2-core/videobuf-dma-sg.c:245 videobuf_dma_init_kernel() warn: should 'nr_pages << 12' be a 64 bit type?
> 
> The printk should not be using %d for the number of pages.
> 
> After looking better, the real problem here is that the
> number of pages should be long int.
> 
> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> ---
>   drivers/media/v4l2-core/videobuf-dma-sg.c | 22 ++++++++++++----------
>   include/media/videobuf-dma-sg.h           |  2 +-
>   2 files changed, 13 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/videobuf-dma-sg.c b/drivers/media/v4l2-core/videobuf-dma-sg.c
> index 46ff19df9f53..8dd0562de287 100644
> --- a/drivers/media/v4l2-core/videobuf-dma-sg.c
> +++ b/drivers/media/v4l2-core/videobuf-dma-sg.c
> @@ -180,7 +180,7 @@ static int videobuf_dma_init_user_locked(struct videobuf_dmabuf *dma,
>   	if (rw == READ)
>   		flags |= FOLL_WRITE;
>   
> -	dprintk(1, "init user [0x%lx+0x%lx => %d pages]\n",
> +	dprintk(1, "init user [0x%lx+0x%lx => %lu pages]\n",
>   		data, size, dma->nr_pages);
>   
>   	err = pin_user_pages(data & PAGE_MASK, dma->nr_pages,


One pre-existing detail to remember is that the gup/pup routines,
specifically pin_user_pages() in this case, use an "int" for the
incoming nr_pages. (I wonder if that should be changed? It's now
becoming a pitfall.) So it's now possible to overflow.

In other situations like this (see xsdfec_table_write() in
drivers/misc/xilinx_sdfec.c), we've added checks such as:

	u32 n;
	...

	if (WARN_ON_ONCE(n > INT_MAX))
		return -EINVAL;

	nr_pages = n;

	res = pin_user_pages_fast((unsigned long)src_ptr, nr_pages, 0, pages);

...in other words, check the value while it's stored in a 64-bit type,
before sending it down into a 32-bit API.

...other than that, everything else looks fine.

thanks,
-- 
John Hubbard
NVIDIA