busdma: avoid buflen underflow

The loop condition in the dmamap_load_buffer() method is 'buflen > 0', and buflen is an unsigned type (bus_size_t). A recent change made it possible for sgsize to exceed the remaining buflen, when the tag has a large alignment requirement. The result is that we would not break out of the loop at the correct time. Fix this by avoiding underflow in the subtraction at the end of the loop. PR: 279383 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: jhibbits Fixes: a77e1f0f81 ("busdma: better handling of small segment bouncing") Differential Revision: https://reviews.freebsd.org/D45732
2024-11-22 03:04:34 +01:00 · 2024-07-08 11:51:31 -03:00 · 2024-07-08 11:51:31 -03:00 · 558c1b3733
commit 558c1b3733
parent 4e148a7baa
5 changed files with 6 additions and 6 deletions
--- a/sys/arm/arm/busdma_machdep.c
+++ b/sys/arm/arm/busdma_machdep.c
@ -1035,7 +1035,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf,
 		    segp))
 			break;
 		vaddr += sgsize;
-		buflen -= sgsize;
+		buflen -= MIN(sgsize, buflen); /* avoid underflow */
 	}

 cleanup:
--- a/sys/arm64/arm64/busdma_bounce.c
+++ b/sys/arm64/arm64/busdma_bounce.c
@ -898,7 +898,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf,
 		    segp))
 			break;
 		vaddr += sgsize;
-		buflen -= sgsize;
+		buflen -= MIN(sgsize, buflen); /* avoid underflow */
 	}

 	/*
--- a/sys/powerpc/powerpc/busdma_machdep.c
+++ b/sys/powerpc/powerpc/busdma_machdep.c
@ -656,7 +656,7 @@ _bus_dmamap_load_buffer(bus_dma_tag_t dmat,
 		    segp))
 			break;
 		vaddr += sgsize;
-		buflen -= sgsize;
+		buflen -= MIN(sgsize, buflen); /* avoid underflow */
 	}

 	/*
--- a/sys/riscv/riscv/busdma_bounce.c
+++ b/sys/riscv/riscv/busdma_bounce.c
@ -705,7 +705,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf,
 		    segp))
 			break;
 		vaddr += sgsize;
-		buflen -= sgsize;
+		buflen -= MIN(sgsize, buflen); /* avoid underflow */
 	}

 cleanup:
--- a/sys/x86/x86/busdma_bounce.c
+++ b/sys/x86/x86/busdma_bounce.c
@ -733,7 +733,7 @@ bounce_bus_dmamap_load_buffer(bus_dma_tag_t dmat, bus_dmamap_t map, void *buf,
 		    segp))
 			break;
 		vaddr += sgsize;
-		buflen -= sgsize;
+		buflen -= MIN(sgsize, buflen); /* avoid underflow */
 	}

 	/*
@ -808,7 +808,7 @@ bounce_bus_dmamap_load_ma(bus_dma_tag_t dmat, bus_dmamap_t map,
 			break;
 		KASSERT(buflen >= sgsize,
 		    ("Segment length overruns original buffer"));
-		buflen -= sgsize;
+		buflen -= MIN(sgsize, buflen); /* avoid underflow */
 		if (((ma_offs + sgsize) & ~PAGE_MASK) != 0)
 			page_index++;
 		ma_offs = (ma_offs + sgsize) & PAGE_MASK;