Skip to content

Commit 84a833d

Browse files
quic-jhugoJeff Hugo
quic-jhugo
authored and
Jeff Hugo
committed
accel/qaic: Fix possible data corruption in BOs > 2G
When slicing a BO, we need to iterate through the BO's sgt to find the right pieces to construct the slice. Some of the data types chosen for this process are incorrectly too small, and can overflow. This can result in the incorrect slice construction, which can lead to data corruption in workload execution. The device can only handle 32-bit sized transfers, and the scatterlist struct only supports 32-bit buffer sizes, so our upper limit for an individual transfer is an unsigned int. Using an int is incorrect due to the reservation of the sign bit. Upgrade the length of a scatterlist entry and the offsets into a scatterlist entry to unsigned int for a correct representation. While each transfer may be limited to 32-bits, the overall BO may exceed that size. For counting the total length of the BO, we need a type that can represent the largest allocation possible on the system. That is the definition of size_t, so use it. Fixes: ff13be8 ("accel/qaic: Add datapath") Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com> Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com> Reviewed-by: Lizhi Hou <lizhi.hou@amd.com> Reviewed-by: Troy Hanson <quic_thanson@quicinc.com> Reviewed-by: Youssef Samir <quic_yabdulra@quicinc.com> Link: https://patchwork.freedesktop.org/patch/msgid/20250306171959.853466-1-jeff.hugo@oss.qualcomm.com
1 parent c3e4a25 commit 84a833d

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

drivers/accel/qaic/qaic_data.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -172,16 +172,19 @@ static void free_slice(struct kref *kref)
172172
static int clone_range_of_sgt_for_slice(struct qaic_device *qdev, struct sg_table **sgt_out,
173173
struct sg_table *sgt_in, u64 size, u64 offset)
174174
{
175-
int total_len, len, nents, offf = 0, offl = 0;
176175
struct scatterlist *sg, *sgn, *sgf, *sgl;
176+
unsigned int len, nents, offf, offl;
177177
struct sg_table *sgt;
178+
size_t total_len;
178179
int ret, j;
179180

180181
/* find out number of relevant nents needed for this mem */
181182
total_len = 0;
182183
sgf = NULL;
183184
sgl = NULL;
184185
nents = 0;
186+
offf = 0;
187+
offl = 0;
185188

186189
size = size ? size : PAGE_SIZE;
187190
for_each_sgtable_dma_sg(sgt_in, sg, j) {

0 commit comments

Comments
 (0)