diff options
| author | Mitchell Horne <mhorne@FreeBSD.org> | 2025-08-09 18:04:27 +0000 |
|---|---|---|
| committer | Mitchell Horne <mhorne@FreeBSD.org> | 2025-08-09 18:42:33 +0000 |
| commit | 60fce0e22147e7378e5585258aea0645e2274528 (patch) | |
| tree | 4e4dac041039de305ea50135c65674006675ade5 /contrib/ipfilter/lib/(developers-only) | |
| parent | a1d051bc878decc761b37cf8771ead100cc05768 (diff) | |
More fallout from a77e1f0f81df.
When the tag has an alignment requirement but a small (remaining)
transfer size, the transfer will be rounded up to exceed its bounds,
resulting in memory corruption.
The issue is observed on powerpc as noted in the pull request:
https://github.com/freebsd/freebsd-src/pull/1415
I also observe the issue locally on riscv hardware, with an 8-byte
transfer having 64-byte alignment.
There is some uncertainty about the purpose/need for the alignment
roundup; both its original intention and present effect. Notably, it is
no longer present at all in arm/arm64 implementations. Possibly, this
roundup can be removed altogether, but this requires more careful
analysis of the edge-cases and history of the property.
For now, simply clamp sgsize to be no larger than the remaining buflen,
as this is certain to be correct within the current scheme and fixes
the affected transfers.
Discussed with: jhb, markj
MFC after: 3 weeks
Fixes: a77e1f0f81df ("busdma: better handling of small segment bouncing")
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/1415
Signed-off-by: Chattrapat Sangmanee <aomsin27@hotmail.co.th>
Co-authored-by: Chattrapat Sangmanee <aomsin27@hotmail.co.th>
Differential Revision: https://reviews.freebsd.org/D47807
Diffstat (limited to 'contrib/ipfilter/lib/(developers-only)')
0 files changed, 0 insertions, 0 deletions