iommu: dma-mapping-fast: Add a check for count in fast_smmu_alloc

In fast_smmu_alloc size_t variable size is type casted to int
variable count, this variable count can get truncated and can
result in memory corruption during unmap, make count as size_t
and also add a check for count as sg_alloc_table_from_pages
accepts unsigned int value for count.

Change-Id: I4780a554c5c062fd9dd229e5cc0ac804b1ba31d8
Signed-off-by: Vijayanand Jitta <vjitta@codeaurora.org>

diff --git a/drivers/iommu/dma-mapping-fast.c b/drivers/iommu/dma-mapping-fast.c
index 0881d68..66c2abd 100644 (file)
--- a/drivers/iommu/dma-mapping-fast.c
+++ b/drivers/iommu/dma-mapping-fast.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2016-2017,2019, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -513,12 +513,22 @@ static void *fast_smmu_alloc(struct device *dev, size_t size,
        av8l_fast_iopte *ptep;
        unsigned long flags;
        struct sg_mapping_iter miter;
-       unsigned int count = ALIGN(size, SZ_4K) >> PAGE_SHIFT;
+       size_t count = ALIGN(size, SZ_4K) >> PAGE_SHIFT;
        int prot = IOMMU_READ | IOMMU_WRITE; /* TODO: extract from attrs */
        bool is_coherent = is_dma_coherent(dev, attrs);
        pgprot_t remap_prot = __get_dma_pgprot(attrs, PAGE_KERNEL, is_coherent);
        struct page **pages;
 
+       /*
+        * sg_alloc_table_from_pages accepts unsigned int value for count
+        * so check count doesn't exceed UINT_MAX.
+        */
+
+       if (count > UINT_MAX) {
+               dev_err(dev, "count: %zx exceeds UNIT_MAX\n", count);
+               return NULL;
+       }
+
        prot = __get_iommu_pgprot(attrs, prot, is_coherent);
 
        *handle = DMA_ERROR_CODE;