| Message ID | 20231027180810.4873-1-quic_jhugo@quicinc.com |
|---|---|
| State | Accepted |
| Commit | 44793c6a5b784f1f25608e3773fd40e011c63391 |
| Headers | show |
| Series | accel/qaic: Quiet array bounds check on DMA abort message | expand |
On Fri, Oct 27, 2023 at 12:08:10PM -0600, Jeffrey Hugo wrote: > From: Carl Vanderlip <quic_carlv@quicinc.com> > > Current wrapper is right-sized to the message being transferred; > however, this is smaller than the structure defining message wrappers > since the trailing element is a union of message/transfer headers of > various sizes (8 and 32 bytes on 32-bit system where issue was > reported). Using the smaller header with a small message > (wire_trans_dma_xfer is 24 bytes including header) ends up being smaller > than a wrapper with the larger header. There are no accesses outside of > the defined size, however they are possible if the larger union member > is referenced. > > Abort messages are outside of hot-path and changing the wrapper struct > would require a larger rewrite, so having the memory allocated to the > message be 8 bytes too big is acceptable. > > Reported-by: kernel test robot <lkp@intel.com> > Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/ > Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com> > Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com> > Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com> > Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com> Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
On 10/27/2023 12:08 PM, Jeffrey Hugo wrote: > From: Carl Vanderlip <quic_carlv@quicinc.com> > > Current wrapper is right-sized to the message being transferred; > however, this is smaller than the structure defining message wrappers > since the trailing element is a union of message/transfer headers of > various sizes (8 and 32 bytes on 32-bit system where issue was > reported). Using the smaller header with a small message > (wire_trans_dma_xfer is 24 bytes including header) ends up being smaller > than a wrapper with the larger header. There are no accesses outside of > the defined size, however they are possible if the larger union member > is referenced. > > Abort messages are outside of hot-path and changing the wrapper struct > would require a larger rewrite, so having the memory allocated to the > message be 8 bytes too big is acceptable. > > Reported-by: kernel test robot <lkp@intel.com> > Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/ > Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com> > Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com> > Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com> > Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com> Pushed to drm-misc-next -Jeff
diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c index 388abd40024b..84915824be54 100644 --- a/drivers/accel/qaic/qaic_control.c +++ b/drivers/accel/qaic/qaic_control.c @@ -1138,7 +1138,7 @@ static int abort_dma_cont(struct qaic_device *qdev, struct wrapper_list *wrapper if (!list_is_first(&wrapper->list, &wrappers->list)) kref_put(&wrapper->ref_count, free_wrapper); - wrapper = add_wrapper(wrappers, offsetof(struct wrapper_msg, trans) + sizeof(*out_trans)); + wrapper = add_wrapper(wrappers, sizeof(*wrapper)); if (!wrapper) return -ENOMEM;