habanalabs: proper handling of alloc size in coresight

[ Upstream commit 36545279f076afeb77104f5ffeab850da3b6d107 ]

Allocation size can go up to 64bit but truncated to 32bit,
we should make sure it is not truncated and validate no address
overflow.

Signed-off-by: Ofir Bitton <obitton@habana.ai>
Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/misc/habanalabs/gaudi/gaudi_coresight.c b/drivers/misc/habanalabs/gaudi/gaudi_coresight.c
index bf0e062d7b874e60376741811661b957041fddc9..cc3d03549a6e43b3d036c3c873eb6b866b5ef74e 100644 (file)
--- a/drivers/misc/habanalabs/gaudi/gaudi_coresight.c
+++ b/drivers/misc/habanalabs/gaudi/gaudi_coresight.c
@@ -523,7 +523,7 @@ static int gaudi_config_etf(struct hl_device *hdev,
 }
 
 static bool gaudi_etr_validate_address(struct hl_device *hdev, u64 addr,
-                                       u32 size, bool *is_host)
+                                       u64 size, bool *is_host)
 {
        struct asic_fixed_properties *prop = &hdev->asic_prop;
        struct gaudi_device *gaudi = hdev->asic_specific;
@@ -535,6 +535,12 @@ static bool gaudi_etr_validate_address(struct hl_device *hdev, u64 addr,
                return false;
        }
 
+       if (addr > (addr + size)) {
+               dev_err(hdev->dev,
+                       "ETR buffer size %llu overflow\n", size);
+               return false;
+       }
+
        /* PMMU and HPMMU addresses are equal, check only one of them */
        if ((gaudi->hw_cap_initialized & HW_CAP_MMU) &&
                hl_mem_area_inside_range(addr, size,

diff --git a/drivers/misc/habanalabs/goya/goya_coresight.c b/drivers/misc/habanalabs/goya/goya_coresight.c
index 1258724ea5106260f8942bab5b8f6d1417606a4f..c23a9fcb74b579bdf79f2b522a1247c8103fdaa2 100644 (file)
--- a/drivers/misc/habanalabs/goya/goya_coresight.c
+++ b/drivers/misc/habanalabs/goya/goya_coresight.c
@@ -358,11 +358,17 @@ static int goya_config_etf(struct hl_device *hdev,
 }
 
 static int goya_etr_validate_address(struct hl_device *hdev, u64 addr,
-               u32 size)
+               u64 size)
 {
        struct asic_fixed_properties *prop = &hdev->asic_prop;
        u64 range_start, range_end;
 
+       if (addr > (addr + size)) {
+               dev_err(hdev->dev,
+                       "ETR buffer size %llu overflow\n", size);
+               return false;
+       }
+
        if (hdev->mmu_enable) {
                range_start = prop->dmmu.start_addr;
                range_end = prop->dmmu.end_addr;

diff --git a/drivers/misc/habanalabs/habanalabs.h b/drivers/misc/habanalabs/habanalabs.h
index 194d8335269642e8edb2e3c25f858d8392335da0..feedf3194ea6cfe4cb8db3e37293f6dcfd8d60d8 100644 (file)
--- a/drivers/misc/habanalabs/habanalabs.h
+++ b/drivers/misc/habanalabs/habanalabs.h
@@ -1587,7 +1587,7 @@ struct hl_ioctl_desc {
  *
  * Return: true if the area is inside the valid range, false otherwise.
  */
-static inline bool hl_mem_area_inside_range(u64 address, u32 size,
+static inline bool hl_mem_area_inside_range(u64 address, u64 size,
                                u64 range_start_address, u64 range_end_address)
 {
        u64 end_address = address + size;