On Mon, Jan 29, 2024 at 10:57:40AM +0100, Geert Uytterhoeven wrote:
> Hi Dirk,
>
> CC Kees (for the wrap-around in dma_cookie_assign() not handled in [A])
> [...]
> Was the system running for a very long time?
> dma_cookie_assign() relies on 2-complement signed wrap-around:
>
> cookie = chan->cookie + 1;
> if (cookie < DMA_MIN_COOKIE)
> cookie = DMA_MIN_COOKIE;
>
> but given the kernel is compiled with -fno-strict-overflow (which
> implies -fwrapv) that should work.
For my own reference:
typedef s32 dma_cookie_t;
#define DMA_MIN_COOKIE 1
struct dma_chan {
...
dma_cookie_t cookie;
Correct, as you say, with -fno-strict-overflow this is well defined, and
will wrap the value around negative if chan->cookie was S32_MAX.
In the future, when the signed integer wrap-around sanitizer works
again, we'll want to change the math to something like:
cookie = add_wrap(typeof(cookie), chan->cookie, 1);
But that will be an ongoing conversion once folks have agreed on the
semantics of the wrapping helpers, which is not settled yet.
If you want to handle this today without depending on wrap-around,
it's a little bit more involved to do it open coded, but it's possible:
if (chan->cookie == type_max(typeof(chan->cookie)))
cookie = DMA_MIN_COOKIE;
else
cookie = chan->cookie + 1;
the "type_max(...)" part could also just be written as S32_MAX.
-Kees
--
Kees Cook
