[PATCH] accel/qaic: Fix possible data corruption in BOs > 2G
Youssef Samir
quic_yabdulra at quicinc.com
Thu Mar 6 18:41:28 UTC 2025
On 3/6/2025 5:19 PM, Jeff Hugo wrote:
> From: Jeffrey Hugo <quic_jhugo at quicinc.com>
>
> When slicing a BO, we need to iterate through the BO's sgt to find the
> right pieces to construct the slice. Some of the data types chosen for
> this process are incorrectly too small, and can overflow. This can
> result in the incorrect slice construction, which can lead to data
> corruption in workload execution.
>
> The device can only handle 32-bit sized transfers, and the scatterlist
> struct only supports 32-bit buffer sizes, so our upper limit for an
> individual transfer is an unsigned int. Using an int is incorrect due to
> the reservation of the sign bit. Upgrade the length of a scatterlist
> entry and the offsets into a scatterlist entry to unsigned int for a
> correct representation.
>
> While each transfer may be limited to 32-bits, the overall BO may exceed
> that size. For counting the total length of the BO, we need a type that
> can represent the largest allocation possible on the system. That is the
> definition of size_t, so use it.
>
> Fixes: ff13be830333 ("accel/qaic: Add datapath")
> Signed-off-by: Jeffrey Hugo <quic_jhugo at quicinc.com>
> Signed-off-by: Jeff Hugo <jeff.hugo at oss.qualcomm.com>
Reviewed-by: Youssef Samir <quic_yabdulra at quicinc.com>
More information about the dri-devel
mailing list