The integer overflow checking for find_and_map_user_pages() was done in
encode_dma(). Presumably this was to do it before the allocation. But
it's not super important that the failure path is a fast path and it
hurts readability to put the check so far from the where the variable is
used.
Move the check to find_and_map_user_pages() instead and add some more
additional potential integer overflow checks.
Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpen...@linaro.org>
---
I kind of went to town adding integer overflow checks here. Please,
review this extra carefully.
drivers/accel/qaic/qaic_control.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/accel/qaic/qaic_control.c
b/drivers/accel/qaic/qaic_control.c
index 96a26539df18..03932197f1ac 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -401,6 +401,12 @@ static int find_and_map_user_pages(struct qaic_device
*qdev,
xfer_start_addr = in_trans->addr + resources->xferred_dma_size;
+ if (in_trans->size == 0 ||
+ in_trans->addr + in_trans->size < in_trans->addr ||
+ in_trans->addr + resources->xferred_dma_size < in_trans->addr ||
+ in_trans->size + offset_in_page(xfer_start_addr) <
resources->xferred_dma_size)
+ return -EINVAL;
+
need_pages = DIV_ROUND_UP(in_trans->size +
offset_in_page(xfer_start_addr) -
resources->xferred_dma_size, PAGE_SIZE);
@@ -563,9 +569,6 @@ static int encode_dma(struct qaic_device *qdev, void
*trans, struct wrapper_list
QAIC_MANAGE_EXT_MSG_LENGTH)
return -ENOMEM;
- if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
- return -EINVAL;
-
xfer = kmalloc(sizeof(*xfer), GFP_KERNEL);
if (!xfer)
return -ENOMEM;
--
2.39.2
