[bug report] habanalabs/gaudi: fix a race condition causing DMAR error

[Dan Carpenter]

Yuri's email is bouncing.

Another related warnings:

drivers/accel/habanalabs/gaudi/gaudi.c:5344 gaudi_parse_cb_mmu()
warn: potential user controlled sizeof overflow
'parser->user_cb_size + gaudi_get_patched_cb_extra_size(parser->user_cb_size)'
'0-u32max + 0-u32max'

regards,
dan carpenter

On Wed, Mar 05, 2025 at 12:59:00PM +0300, Dan Carpenter wrote:
> Hello Yuri Nudelman,
> 
> Commit 17ab47d2d6d4 ("habanalabs/gaudi: fix a race condition causing
> DMAR error") from Jun 22, 2022 (linux-next), leads to the following
> Smatch static checker warning:
> 
> 	drivers/accel/habanalabs/gaudi/gaudi.c:1422 gaudi_get_patched_cb_extra_size()
> 	warn: potential user controlled sizeof overflow 'user_cb_size + additional_commands' '0-u32max + 32'
> 
> drivers/accel/habanalabs/gaudi/gaudi.c
>     1415 static u32 gaudi_get_patched_cb_extra_size(u32 user_cb_size)
>     1416 {
>     1417         u32 cacheline_end, additional_commands;
>     1418 
>     1419         cacheline_end = round_up(user_cb_size, DEVICE_CACHE_LINE_SIZE);
>     1420         additional_commands = sizeof(struct packet_msg_prot) * 2;
>     1421 
> --> 1422         if (user_cb_size + additional_commands > cacheline_end)
>                      ^^^^^^^^^^^^
> The user_cb_size is a user controlled variable that comes from
> cs_ioctl_default().  This addition operation could result in an interger
> wrapping bug.
> 
>     1423                 return cacheline_end - user_cb_size + additional_commands;
>     1424         else
>     1425                 return additional_commands;
>     1426 }
> 
> regards,
> dan carpenter