busdma: avoid buflen underflow
ClosedPublic
Actions

Authored by mhorne on Jun 25 2024, 5:05 PM.

Details

Reviewers

jhb
andrew
manu
jhibbits

Commits

rG558c1b37334c: busdma: avoid buflen underflow

Summary

The loop condition in the dmamap_load_buffer() method is 'buflen > 0',
and buflen is an unsigned type (bus_size_t).

A recent change made it possible for sgsize to exceed the remaining
buflen, when the tag has a large alignment requirement. The result is
that we would not break out of the loop at the correct time. Fix this by
avoiding underflow in the subtraction at the end of the loop.

PR: 279383
Reported by: Robert Morris <rtm@lcs.mit.edu>
Fixes: a77e1f0f81df ("busdma: better handling of small segment bouncing")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

mhorne created this revision.Jun 25 2024, 5:05 PM

Herald added a reviewer: andrew. · View Herald TranscriptJun 25 2024, 5:05 PM

Herald added a reviewer: andrew. · View Herald Transcript

Herald added a reviewer: manu. · View Herald Transcript

Herald added subscribers: riscv, jhibbits, emaste, imp. · View Herald Transcript

mhorne requested review of this revision.Jun 25 2024, 5:05 PM

Harbormaster completed remote builds in B58348: Diff 140229.Jun 25 2024, 5:05 PM

I could apply the same guard to bounce_bus_dmamap_load_phys() methods, but in those functions it is easier to see that underflow is not possible, so I haven't yet.

sys/arm64/arm64/busdma_bounce.c
864–867	Note: arm and arm64 implementations are actually lacking the line sgsize = roundup2(sgsize, dmat->common.alignment); found in the other implementations, and are therefore not susceptible to the same underflow. Still, I think it is wise to add the check here too.