www.infradead.org Git - users/hch/misc.git/commit

author	Jeffrey Hugo <quic_jhugo@quicinc.com>
	Thu, 6 Mar 2025 17:19:59 +0000 (10:19 -0700)
committer	Jeff Hugo <jeff.hugo@oss.qualcomm.com>
	Fri, 14 Mar 2025 16:28:45 +0000 (10:28 -0600)
commit	84a833d90635e4b846333e2df0ae72f9cbecac39
tree	9748d6ec46acd0c418e39de0553128c2b4783769	tree
parent	c3e4a25602f8b941b154f52a4da13ae77b4664c4	commit \| diff

accel/qaic: Fix possible data corruption in BOs > 2G

When slicing a BO, we need to iterate through the BO's sgt to find the
right pieces to construct the slice. Some of the data types chosen for
this process are incorrectly too small, and can overflow. This can
result in the incorrect slice construction, which can lead to data
corruption in workload execution.

The device can only handle 32-bit sized transfers, and the scatterlist
struct only supports 32-bit buffer sizes, so our upper limit for an
individual transfer is an unsigned int. Using an int is incorrect due to
the reservation of the sign bit. Upgrade the length of a scatterlist
entry and the offsets into a scatterlist entry to unsigned int for a
correct representation.

While each transfer may be limited to 32-bits, the overall BO may exceed
that size. For counting the total length of the BO, we need a type that
can represent the largest allocation possible on the system. That is the
definition of size_t, so use it.

Fixes: ff13be830333 ("accel/qaic: Add datapath")
Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Troy Hanson <quic_thanson@quicinc.com>
Reviewed-by: Youssef Samir <quic_yabdulra@quicinc.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250306171959.853466-1-jeff.hugo@oss.qualcomm.com