From nobody Mon Jul 08 14:52:35 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WHnCm32qDz5QMfQ; Mon, 08 Jul 2024 14:52:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WHnCm0Jz0z3wcC; Mon, 8 Jul 2024 14:52:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720450356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+Vvgcher4B/qF+Urv6bmJvcK2jtpw5fCpyaJhc+9fLk=; b=L6DFfwDf0/kZkX0f6nsT5DQpHZD7eHH2klmzRQu6/qQ3stUhyeTW8bhCLk+y1FrAx9pWFN Rrf0+8EQk3bbXZht15NIbqcc7YdC0YGSv+bgY7z23wv+OCPA8npk+Lvw9wLu+onMLOFVoz yspqE1MzKvUsCglbcs8CAKz0PQl06aWAhYb5wYunsSl9UXntAQxo5B02np56on58S2BtgS Xp70mXJv3d9ptvYqmvnlWiOwAK2s/4Iwdm+eYVgUZ5krkxSqngzwgNhJU6/N4Any00XvAj KUPrGBCwMQtvmH78TbCn3nwoc10SvsrmIKWj19FygZHEUaIV3SFrJUdgBSVbxQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1720450356; a=rsa-sha256; cv=none; b=h7o/1MgXtvzc5JJPMQX8SQe8lsVmrlo0CM8PIcDbQYjAU7K4Lie5/VKw+ykq/dkpdfG5Ge xdFfINiPuWHKbxMpCuLYaHYtjgt3KuEwHPA2LIAYRZYtkr09JBqsCiyWcknhUThq7ioPLF dWyajbcEPXmWQ8vG7dEuekvXo224Wvee1x0DjcTbRGxv5NVTTHqpF6lxwd/33CmIvvw0pR I3z1uwR7WybEx0AQ1G5d/BVYRaYpAjBb0u3b1M+XX8c3CJHbyHVN8fJkWtg1FCnCRra7IK A0KGwcREO68dBjjTGl1imQ9xNZfzqEwacKqATtJXozWGya++fyHwaptZle/mFA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720450356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+Vvgcher4B/qF+Urv6bmJvcK2jtpw5fCpyaJhc+9fLk=; b=DEaGaprh0DJiSJWRk/SZ1Um7y0eNk7a4rTe5/9nHzVSns3jD0hdfy1uMXfKZD7dkGI61az 2pBoo2Cw4+wkjAXJtfcE4xP+BgMlEEK3RAB074FFncuur8SxdeGG/SsaLrw09oPUmCyQ7Y rdqIwGAOlMoPTXRuU1kKIFxIxcsEBu9pF3mYcKG76+o9qwZTlshy7MGuDZLK4Udz1XrZBa XYySIVKNEqe0khB0545wWM5fH4EhhnJ7G5CKQwwgb96yzogR1XQp5YnQQmSASOna35o3C1 pJ3fR8lKSfDRDfMkluRD5XfHSD0/CUJsvZdEXv51wEHdiru0LucuQAbtnOjzGw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WHnCl6jldzw5M; Mon, 8 Jul 2024 14:52:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 468EqZ50046717; Mon, 8 Jul 2024 14:52:35 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 468EqZWf046714; Mon, 8 Jul 2024 14:52:35 GMT (envelope-from git) Date: Mon, 8 Jul 2024 14:52:35 GMT Message-Id: <202407081452.468EqZWf046714@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mitchell Horne Subject: git: 558c1b37334c - main - busdma: avoid buflen underflow List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mhorne X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 558c1b37334c4dcc9913b7c157a491f9d244e335 Auto-Submitted: auto-generated The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=558c1b37334c4dcc9913b7c157a491f9d244e335 commit 558c1b37334c4dcc9913b7c157a491f9d244e335 Author: Mitchell Horne AuthorDate: 2024-07-08 14:51:31 +0000 Commit: Mitchell Horne CommitDate: 2024-07-08 14:51:31 +0000 busdma: avoid buflen underflow The loop condition in the dmamap_load_buffer() method is 'buflen > 0', and buflen is an unsigned type (bus_size_t). A recent change made it possible for sgsize to exceed the remaining buflen, when the tag has a large alignment requirement. The result is that we would not break out of the loop at the correct time. Fix this by avoiding underflow in the subtraction at the end of the loop. PR: 279383 Reported by: Robert Morris Reviewed by: jhibbits Fixes: a77e1f0f81df ("busdma: better handling of small segment bouncing") Differential Revision: https://reviews.freebsd.org/D45732 --- sys/arm/arm/busdma_machdep.c | 2 +- sys/arm64/arm64/busdma_bounce.c | 2 +- sys/powerpc/powerpc/busdma_machdep.c | 2 +- sys/riscv/riscv/busdma_bounce.c | 2 +- sys/x86/x86/busdma_bounce.c | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sys/arm/arm/busdma_machdep.c b/sys/arm/arm/busdma_machdep.c index 13af7eb682d6..99a72c9e79d0 100644 --- a/sys/arm/arm/busdma_machdep.c +++ b/sys/arm/arm/busdma_machdep.c @@ -1035,7 +1035,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf, segp)) break; vaddr += sgsize; - buflen -= sgsize; + buflen -= MIN(sgsize, buflen); /* avoid underflow */ } cleanup: diff --git a/sys/arm64/arm64/busdma_bounce.c b/sys/arm64/arm64/busdma_bounce.c index f218bc062642..3836f8c74b45 100644 --- a/sys/arm64/arm64/busdma_bounce.c +++ b/sys/arm64/arm64/busdma_bounce.c @@ -898,7 +898,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf, segp)) break; vaddr += sgsize; - buflen -= sgsize; + buflen -= MIN(sgsize, buflen); /* avoid underflow */ } /* diff --git a/sys/powerpc/powerpc/busdma_machdep.c b/sys/powerpc/powerpc/busdma_machdep.c index b023e7f353b9..5f7f88041a67 100644 --- a/sys/powerpc/powerpc/busdma_machdep.c +++ b/sys/powerpc/powerpc/busdma_machdep.c @@ -656,7 +656,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dmat, segp)) break; vaddr += sgsize; - buflen -= sgsize; + buflen -= MIN(sgsize, buflen); /* avoid underflow */ } /* diff --git a/sys/riscv/riscv/busdma_bounce.c b/sys/riscv/riscv/busdma_bounce.c index e1c217f1d12e..68525bb742bc 100644 --- a/sys/riscv/riscv/busdma_bounce.c +++ b/sys/riscv/riscv/busdma_bounce.c @@ -705,7 +705,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf, segp)) break; vaddr += sgsize; - buflen -= sgsize; + buflen -= MIN(sgsize, buflen); /* avoid underflow */ } cleanup: diff --git a/sys/x86/x86/busdma_bounce.c b/sys/x86/x86/busdma_bounce.c index 5aa4ffcff3cc..656b76159250 100644 --- a/sys/x86/x86/busdma_bounce.c +++ b/sys/x86/x86/busdma_bounce.c @@ -733,7 +733,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf, segp)) break; vaddr += sgsize; - buflen -= sgsize; + buflen -= MIN(sgsize, buflen); /* avoid underflow */ } /* @@ -808,7 +808,7 @@ bounce_bus_dmamap_load_ma(bus_dma_tag_t dmat, bus_dmamap_t map, break; KASSERT(buflen >= sgsize, ("Segment length overruns original buffer")); - buflen -= sgsize; + buflen -= MIN(sgsize, buflen); /* avoid underflow */ if (((ma_offs + sgsize) & ~PAGE_MASK) != 0) page_index++; ma_offs = (ma_offs + sgsize) & PAGE_MASK;