Commit 44793c6a authored Oct 27, 2023 by Carl Vanderlip Committed by Jeff Hugo Nov 03, 2023

accel/qaic: Quiet array bounds check on DMA abort message



Current wrapper is right-sized to the message being transferred;
however, this is smaller than the structure defining message wrappers
since the trailing element is a union of message/transfer headers of
various sizes (8 and 32 bytes on 32-bit system where issue was
reported). Using the smaller header with a small message
(wire_trans_dma_xfer is 24 bytes including header) ends up being smaller
than a wrapper with the larger header. There are no accesses outside of
the defined size, however they are possible if the larger union member
is referenced.

Abort messages are outside of hot-path and changing the wrapper struct
would require a larger rewrite, so having the memory allocated to the
message be 8 bytes too big is acceptable.

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202310182253.bcb9JcyJ-lkp@intel.com/


Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231027180810.4873-1-quic_jhugo@quicinc.com

parent 6fd94871

drivers/accel/qaic/qaic_control.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1138,7 +1138,7 @@ static int abort_dma_cont(struct qaic_device qdev, struct wrapper_list wrapper
		if (!list_is_first(&wrapper->list, &wrappers->list))
		kref_put(&wrapper->ref_count, free_wrapper);

		wrapper = add_wrapper(wrappers, offsetof(struct wrapper_msg, trans) + sizeof(*out_trans));
		wrapper = add_wrapper(wrappers, sizeof(*wrapper));

		if (!wrapper)
		return -ENOMEM;