Yuri's email is bouncing.
Another related warnings:
drivers/accel/habanalabs/gaudi/gaudi.c:5344 gaudi_parse_cb_mmu()
warn: potential user controlled sizeof overflow
'parser->user_cb_size + gaudi_get_patched_cb_extra_size(parser->user_cb_size)'
'0-u32max + 0-u32max'
regards,
dan carpenter
On Wed, Mar 05, 2025 at 12:59:00PM +0300, Dan Carpenter wrote:
> Hello Yuri Nudelman,
>
> Commit 17ab47d2d6d4 ("habanalabs/gaudi: fix a race condition causing
> DMAR error") from Jun 22, 2022 (linux-next), leads to the following
> Smatch static checker warning:
>
> drivers/accel/habanalabs/gaudi/gaudi.c:1422 gaudi_get_patched_cb_extra_size()
> warn: potential user controlled sizeof overflow 'user_cb_size + additional_commands' '0-u32max + 32'
>
> drivers/accel/habanalabs/gaudi/gaudi.c
> 1415 static u32 gaudi_get_patched_cb_extra_size(u32 user_cb_size)
> 1416 {
> 1417 u32 cacheline_end, additional_commands;
> 1418
> 1419 cacheline_end = round_up(user_cb_size, DEVICE_CACHE_LINE_SIZE);
> 1420 additional_commands = sizeof(struct packet_msg_prot) * 2;
> 1421
> --> 1422 if (user_cb_size + additional_commands > cacheline_end)
> ^^^^^^^^^^^^
> The user_cb_size is a user controlled variable that comes from
> cs_ioctl_default(). This addition operation could result in an interger
> wrapping bug.
>
> 1423 return cacheline_end - user_cb_size + additional_commands;
> 1424 else
> 1425 return additional_commands;
> 1426 }
>
> regards,
> dan carpenter
