ARM: dma-mapping: Fix IOVA end addr check strictly
Hiroshi Doyu [Thu, 22 Aug 2013 18:52:33 +0000 (21:52 +0300)]
At IOVA area allocation, its end address check isn't enough strict in
the case of __alloc_iova_at().

Bug 1353121
Bug 1343762

Change-Id: Iebb1b100313ff70c23bbf262dddddfde1a52727b
Signed-off-by: Hiroshi Doyu <hdoyu@nvidia.com>
Reviewed-on: http://git-master/r/265018
GVS: Gerrit_Virtual_Submit
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>

arch/arm/mm/dma-mapping.c

index 1d7d360..c265e83 100644 (file)
@@ -1195,13 +1195,15 @@ static dma_addr_t __alloc_iova_at(struct dma_iommu_mapping *mapping,
 {
        unsigned int count, start, orig;
        unsigned long flags;
+       size_t bytes;
 
        count = ((PAGE_ALIGN(size) >> PAGE_SHIFT) + PG_PAGES +
                 (1 << mapping->order) - 1) >> mapping->order;
+       bytes = count << (mapping->order + PAGE_SHIFT);
 
        spin_lock_irqsave(&mapping->lock, flags);
 
-       if ((*iova < mapping->base) || (*iova >= mapping->end)) {
+       if ((*iova < mapping->base) || (bytes > mapping->end - *iova)) {
                *iova = -ENXIO;
                goto err_out;
        }