summaryrefslogtreecommitdiffstats
path: root/drivers/acpi/sbs.c
diff options
context:
space:
mode:
authorAlex Williamson <alex.williamson@redhat.com>2014-05-30 11:35:54 -0600
committerAlex Williamson <alex.williamson@redhat.com>2014-05-30 11:35:54 -0600
commitc8dbca165bb090f926996a572ea2b5b577b34b70 (patch)
treeb0796dcde190329789cb56c5b42ce15c3ef71cf7 /drivers/acpi/sbs.c
parenteb5685f0de4702e44a8b262f1acaea52ef99271a (diff)
downloadlinux-c8dbca165bb090f926996a572ea2b5b577b34b70.tar.bz2
vfio/iommu_type1: Avoid overflow
Coverity reports use of a tained scalar used as a loop boundary. For the most part, any values passed from userspace for a DMA mapping size, IOVA, or virtual address are valid, with some alignment constraints. The size is ultimately bound by how many pages the user is able to lock, IOVA is tested by the IOMMU driver when doing a map, and the virtual address needs to pass get_user_pages. The only problem I can find is that we do expect the __u64 user values to fit within our variables, which might not happen on 32bit platforms. Add a test for this and return error on overflow. Also propagate use of the type-correct local variables throughout the function. The above also points to the 'end' variable, which can be zero if we're operating at the very top of the address space. We try to account for this, but our loop botches it. Rework the loop to use the remaining size as our loop condition rather than the IOVA vs end. Detected by Coverity: CID 714659 Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Diffstat (limited to 'drivers/acpi/sbs.c')
0 files changed, 0 insertions, 0 deletions