Re: [PATCH net] net: devmem: reject TX dma-buf with non-page-aligned size or SG length

[Stanislav Fomichev]

On 05/17, David Carlier wrote:
> The TX dma-buf bind assumes dmabuf->size and every sg_dma_len() are
> PAGE_SIZE multiples: tx_vec is sized dmabuf->size / PAGE_SIZE and
> indexed by virt_addr / PAGE_SIZE, with only a virt_addr < dmabuf->size
> bound check. A non-page-aligned size lets sendmsg() reach the tail
> region past the last populated slot and read one past tx_vec[]. A
> non-page-aligned, non-final SG entry causes the same OOB indirectly
> by desyncing later slots.

[..]

> Reject both up front. Real exporters (udmabuf, dma-buf heaps, GPU
> drivers) already page-align, so this only refuses layouts the TX path
> can't back correctly.
> 
> Fixes: bd61848900bf ("net: devmem: Implement TX path")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: David Carlier <devnexen@xxxxxxxxx>

If the real exported already export page-aligned, why does it need
to go into net/stable?

> ---
>  net/core/devmem.c | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/net/core/devmem.c b/net/core/devmem.c
> index 468344739db2..e72f48ff9094 100644
> --- a/net/core/devmem.c
> +++ b/net/core/devmem.c
> @@ -193,6 +193,7 @@ net_devmem_bind_dmabuf(struct net_device *dev,
>  	struct dma_buf *dmabuf;
>  	unsigned int sg_idx, i;
>  	unsigned long virtual;
> +	bool todevice;
>  	int err;
>  
>  	if (!dma_dev) {
> @@ -240,7 +241,14 @@ net_devmem_bind_dmabuf(struct net_device *dev,
>  		goto err_detach;
>  	}
>  
> -	if (direction == DMA_TO_DEVICE) {
> +	todevice = direction == DMA_TO_DEVICE;

If you're being defensive here with "real exporters already page-align",
why not do this check on both rx and tx? Why single out tx side?