Re: [PATCH] scatterlist: don't overflow length field

From: Linus Torvalds
Date: Fri Feb 03 2017 - 14:57:15 EST

Next message: Colin King: "[PATCH] drm/vc4: simplify exit path of a failed allocation of dsi_connector"
Previous message: Stephen Boyd: "Re: [PATCH 2/2] clk: uniphier: add eMMC clock for LD11 and LD20 SoCs"
In reply to: David Dillow: "[PATCH] scatterlist: don't overflow length field"
Next in thread: David Dillow: "Re: [PATCH] scatterlist: don't overflow length field"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 1, 2017 at 1:29 PM, David Dillow <dillow@xxxxxxxxxx> wrote:
> When called with a region of contiguous pages totaling > 4 GB of memory,
> sg_alloc_table_from_pages() will overflow the length field, leading to a
> corrupt scatter list. Fix this by tracking the number of pages we've
> merged and start a new chunk when we would overflow.

So what allows these things to be built in the first place?

We limit IO sizes to fit in a signed int (so just below 2GB) not only
because it's often an effective denial of service, but also because
we've had issues with various drivers (and filesystems) getting
int/long wrong.

So nothing should be building those kinds of scatterlists, and it
something is able to, it might result in other problems downstreams..

Put another way: why not just say "this can't happen", and make the
sg_alloc_table_from_pages() perhaps also have the same check.

MAX_RW_COUNT is what we limit reads and writes to:

#define MAX_RW_COUNT (INT_MAX & PAGE_MASK)

Hmm?

Linus

Next message: Colin King: "[PATCH] drm/vc4: simplify exit path of a failed allocation of dsi_connector"
Previous message: Stephen Boyd: "Re: [PATCH 2/2] clk: uniphier: add eMMC clock for LD11 and LD20 SoCs"
In reply to: David Dillow: "[PATCH] scatterlist: don't overflow length field"
Next in thread: David Dillow: "Re: [PATCH] scatterlist: don't overflow length field"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]