* Fwd: New Defects reported by Coverity Scan for Linux
[not found] <5348ea4572e7_5d4d7ac86c27677@209.249.196.67.mail>
@ 2014-04-12 13:29 ` Bjorn Helgaas
2014-04-12 21:41 ` Ville Syrjälä
2014-04-12 13:38 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
2014-04-12 13:44 ` Bjorn Helgaas
2 siblings, 1 reply; 7+ messages in thread
From: Bjorn Helgaas @ 2014-04-12 13:29 UTC (permalink / raw)
To: Ville Syrjälä; +Cc: Ingo Molnar, linux-kernel
FYI, looks like these were added by a4dff76924fe ("x86/gpu: Add Intel
graphics stolen memory quirk for gen2 platforms").
---------- Forwarded message ----------
From: <scan-admin@coverity.com>
Date: Sat, Apr 12, 2014 at 1:24 AM
Subject: New Defects reported by Coverity Scan for Linux
To:
...
** CID 1201423: Unintended sign extension (SIGN_EXTENSION)
/arch/x86/kernel/early-quirks.c: 290 in i830_mem_size()
** CID 1201424: Unintended sign extension (SIGN_EXTENSION)
/arch/x86/kernel/early-quirks.c: 295 in i85x_mem_size()
...
________________________________________________________________________________________________________
*** CID 1201423: Unintended sign extension (SIGN_EXTENSION)
/arch/x86/kernel/early-quirks.c: 290 in i830_mem_size()
284
285 return MB(1);
286 }
287
288 static size_t __init i830_mem_size(void)
289 {
>>> CID 1201423: Unintended sign extension (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "read_pci_config_byte(0, 0, 0, 99)" with type "unsigned char" (8 bits, unsigned) is promoted in "read_pci_config_byte(0, 0, 0, 99) * 33554432" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "read_pci_config_byte(0, 0, 0, 99) * 33554432" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
290 return read_pci_config_byte(0, 0, 0, I830_DRB3) * MB(32);
291 }
292
293 static size_t __init i85x_mem_size(void)
294 {
295 return read_pci_config_byte(0, 0, 1, I85X_DRB3) * MB(32);
________________________________________________________________________________________________________
*** CID 1201424: Unintended sign extension (SIGN_EXTENSION)
/arch/x86/kernel/early-quirks.c: 295 in i85x_mem_size()
289 {
290 return read_pci_config_byte(0, 0, 0, I830_DRB3) * MB(32);
291 }
292
293 static size_t __init i85x_mem_size(void)
294 {
>>> CID 1201424: Unintended sign extension (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "read_pci_config_byte(0, 0, 1, 67)" with type "unsigned char" (8 bits, unsigned) is promoted in "read_pci_config_byte(0, 0, 1, 67) * 33554432" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "read_pci_config_byte(0, 0, 1, 67) * 33554432" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
295 return read_pci_config_byte(0, 0, 1, I85X_DRB3) * MB(32);
296 }
297
298 /*
299 * On 830/845/85x the stolen memory base isn't available in any
300 * register. We need to calculate it as TOM-TSEG_SIZE-stolen_size.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Linux
[not found] <5348ea4572e7_5d4d7ac86c27677@209.249.196.67.mail>
2014-04-12 13:29 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
@ 2014-04-12 13:38 ` Bjorn Helgaas
2014-04-12 13:44 ` Bjorn Helgaas
2 siblings, 0 replies; 7+ messages in thread
From: Bjorn Helgaas @ 2014-04-12 13:38 UTC (permalink / raw)
To: Brown, Len; +Cc: Rafael J. Wysocki, Linux PM list
Hi Len,
FYI, these were added by 0138d8f0755b ("intel_idle: fine-tune IVT
residency targets").
I think both are the result of missing braces around the "if
(num_sockets > 4)" body.
The "returns" at the end of intel_idle_cpuidle_devices_uninit(),
intel_idle_state_table_update(), and intel_idle_exit() are also
superfluous.
---------- Forwarded message ----------
From: <scan-admin@coverity.com>
Date: Sat, Apr 12, 2014 at 1:24 AM
Subject: New Defects reported by Coverity Scan for Linux
...
** CID 1201420: Logically dead code (DEADCODE)
/drivers/idle/intel_idle.c: 760 in intel_idle_state_table_update()
** CID 1201421: Nesting level does not match indentation
(NESTING_INDENT_MISMATCH)
/drivers/idle/intel_idle.c: 755 in intel_idle_state_table_update()
...
________________________________________________________________________________________________________
*** CID 1201420: Logically dead code (DEADCODE)
/drivers/idle/intel_idle.c: 760 in intel_idle_state_table_update()
754 cpuidle_state_table =
ivt_cstates_8s;
755 return;
756 }
757 }
758
759 if (num_sockets > 2)
>>> CID 1201420: Logically dead code (DEADCODE)
>>> Execution cannot reach this statement "cpuidle_state_table = ivt_c...".
760 cpuidle_state_table = ivt_cstates_4s;
761 /* else, 1 and 2 socket systems use default
ivt_cstates */
762 }
763 return;
764 }
765
________________________________________________________________________________________________________
*** CID 1201421: Nesting level does not match indentation
(NESTING_INDENT_MISMATCH)
/drivers/idle/intel_idle.c: 755 in intel_idle_state_table_update()
749 package_num = topology_physical_package_id(cpu);
750 if (package_num + 1 > num_sockets) {
751 num_sockets = package_num + 1;
752
753 if (num_sockets > 4)
754 cpuidle_state_table =
ivt_cstates_8s;
>>> CID 1201421: Nesting level does not match indentation (NESTING_INDENT_MISMATCH)
>>> This statement is indented to column 41, as if it were nested within the preceding parent statement, but it is not.
755 return;
756 }
757 }
758
759 if (num_sockets > 2)
760 cpuidle_state_table = ivt_cstates_4s;
____________________________________________________________
^ permalink raw reply [flat|nested] 7+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Linux
[not found] <5348ea4572e7_5d4d7ac86c27677@209.249.196.67.mail>
2014-04-12 13:29 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
2014-04-12 13:38 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
@ 2014-04-12 13:44 ` Bjorn Helgaas
2 siblings, 0 replies; 7+ messages in thread
From: Bjorn Helgaas @ 2014-04-12 13:44 UTC (permalink / raw)
To: Harald Hoyer; +Cc: Chris Mason, linux-btrfs
FYI, this warning was introduced by 0723a0473fb4 ("btrfs: allow
mounting btrfs subvolumes with different ro/rw options").
It looks like "newargs" is eventually used in mount_fs(), so I think
this one is real.
---------- Forwarded message ----------
From: <scan-admin@coverity.com>
Date: Sat, Apr 12, 2014 at 1:24 AM
Subject: New Defects reported by Coverity Scan for Linux
...
** CID 1201425: Use after free (USE_AFTER_FREE)
/fs/btrfs/super.c: 1193 in mount_subvol()
/fs/btrfs/super.c: 1197 in mount_subvol()
...
________________________________________________________________________________________________________
*** CID 1201425: Use after free (USE_AFTER_FREE)
/fs/btrfs/super.c: 1193 in mount_subvol()
1187 mnt = vfs_kern_mount(&btrfs_fs_type, flags, device_name,
1188 newargs);
1189 kfree(newargs);
1190
1191 if (PTR_RET(mnt) == -EBUSY) {
1192 if (flags & MS_RDONLY) {
>>> CID 1201425: Use after free (USE_AFTER_FREE)
>>> Passing freed pointer "newargs" as an argument to "vfs_kern_mount".
1193 mnt = vfs_kern_mount(&btrfs_fs_type,
flags & ~MS_RDONLY, device_name,
1194 newargs);
1195 } else {
1196 int r;
1197 mnt = vfs_kern_mount(&btrfs_fs_type,
flags | MS_RDONLY, device_name,
1198 newargs);
/fs/btrfs/super.c: 1197 in mount_subvol()
1191 if (PTR_RET(mnt) == -EBUSY) {
1192 if (flags & MS_RDONLY) {
1193 mnt = vfs_kern_mount(&btrfs_fs_type,
flags & ~MS_RDONLY, device_name,
1194 newargs);
1195 } else {
1196 int r;
>>> CID 1201425: Use after free (USE_AFTER_FREE)
>>> Passing freed pointer "newargs" as an argument to "vfs_kern_mount".
1197 mnt = vfs_kern_mount(&btrfs_fs_type,
flags | MS_RDONLY, device_name,
1198 newargs);
1199 if (IS_ERR(mnt))
1200 return ERR_CAST(mnt);
1201
1202 r = btrfs_remount(mnt->mnt_sb, &flags, NULL);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/128?tab=Overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Linux
2014-04-12 13:29 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
@ 2014-04-12 21:41 ` Ville Syrjälä
2014-04-12 22:41 ` H. Peter Anvin
0 siblings, 1 reply; 7+ messages in thread
From: Ville Syrjälä @ 2014-04-12 21:41 UTC (permalink / raw)
To: Bjorn Helgaas; +Cc: Ingo Molnar, linux-kernel
On Sat, Apr 12, 2014 at 07:29:29AM -0600, Bjorn Helgaas wrote:
> FYI, looks like these were added by a4dff76924fe ("x86/gpu: Add Intel
> graphics stolen memory quirk for gen2 platforms").
Some of the affected gen2 platforms do support up to 2GB of RAM which
means that if the sign extension were to happen they could hit this.
However I believe all gen2 platforms are 32bit which AFAIK makes size_t
32 bits. So looks like we can't hit this in practice..
But if someone were to change the return type to 64bits we'd
be in real danger, so I guess it would be better to fix the bug
anyway.
-#define KB(x) ((x) * 1024)
+#define KB(x) ((x) * 1024U)
should be sufficient to eliminate the problem. If someone wants me to
put that into a real patch and send it out let me know.
>
>
> ---------- Forwarded message ----------
> From: <scan-admin@coverity.com>
> Date: Sat, Apr 12, 2014 at 1:24 AM
> Subject: New Defects reported by Coverity Scan for Linux
> To:
>
> ...
>
> ** CID 1201423: Unintended sign extension (SIGN_EXTENSION)
> /arch/x86/kernel/early-quirks.c: 290 in i830_mem_size()
>
> ** CID 1201424: Unintended sign extension (SIGN_EXTENSION)
> /arch/x86/kernel/early-quirks.c: 295 in i85x_mem_size()
>
> ...
> ________________________________________________________________________________________________________
> *** CID 1201423: Unintended sign extension (SIGN_EXTENSION)
> /arch/x86/kernel/early-quirks.c: 290 in i830_mem_size()
> 284
> 285 return MB(1);
> 286 }
> 287
> 288 static size_t __init i830_mem_size(void)
> 289 {
> >>> CID 1201423: Unintended sign extension (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "read_pci_config_byte(0, 0, 0, 99)" with type "unsigned char" (8 bits, unsigned) is promoted in "read_pci_config_byte(0, 0, 0, 99) * 33554432" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "read_pci_config_byte(0, 0, 0, 99) * 33554432" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 290 return read_pci_config_byte(0, 0, 0, I830_DRB3) * MB(32);
> 291 }
> 292
> 293 static size_t __init i85x_mem_size(void)
> 294 {
> 295 return read_pci_config_byte(0, 0, 1, I85X_DRB3) * MB(32);
>
> ________________________________________________________________________________________________________
> *** CID 1201424: Unintended sign extension (SIGN_EXTENSION)
> /arch/x86/kernel/early-quirks.c: 295 in i85x_mem_size()
> 289 {
> 290 return read_pci_config_byte(0, 0, 0, I830_DRB3) * MB(32);
> 291 }
> 292
> 293 static size_t __init i85x_mem_size(void)
> 294 {
> >>> CID 1201424: Unintended sign extension (SIGN_EXTENSION)
> >>> Suspicious implicit sign extension: "read_pci_config_byte(0, 0, 1, 67)" with type "unsigned char" (8 bits, unsigned) is promoted in "read_pci_config_byte(0, 0, 1, 67) * 33554432" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "read_pci_config_byte(0, 0, 1, 67) * 33554432" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 295 return read_pci_config_byte(0, 0, 1, I85X_DRB3) * MB(32);
> 296 }
> 297
> 298 /*
> 299 * On 830/845/85x the stolen memory base isn't available in any
> 300 * register. We need to calculate it as TOM-TSEG_SIZE-stolen_size.
--
Ville Syrjälä
Intel OTC
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Linux
2014-04-12 21:41 ` Ville Syrjälä
@ 2014-04-12 22:41 ` H. Peter Anvin
2014-04-13 9:45 ` [PATCH] x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks ville.syrjala
0 siblings, 1 reply; 7+ messages in thread
From: H. Peter Anvin @ 2014-04-12 22:41 UTC (permalink / raw)
To: Ville Syrjälä, Bjorn Helgaas; +Cc: Ingo Molnar, linux-kernel
On 04/12/2014 02:41 PM, Ville Syrjälä wrote:
> On Sat, Apr 12, 2014 at 07:29:29AM -0600, Bjorn Helgaas wrote:
>> FYI, looks like these were added by a4dff76924fe ("x86/gpu: Add Intel
>> graphics stolen memory quirk for gen2 platforms").
>
> Some of the affected gen2 platforms do support up to 2GB of RAM which
> means that if the sign extension were to happen they could hit this.
> However I believe all gen2 platforms are 32bit which AFAIK makes size_t
> 32 bits. So looks like we can't hit this in practice..
>
> But if someone were to change the return type to 64bits we'd
> be in real danger, so I guess it would be better to fix the bug
> anyway.
>
> -#define KB(x) ((x) * 1024)
> +#define KB(x) ((x) * 1024U)
> should be sufficient to eliminate the problem. If someone wants me to
> put that into a real patch and send it out let me know.
>
Please do, but make it UL (in the Linux kernel context, unsigned long is
always equivalent to size_t/pointer size.)
-hpa
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks
2014-04-12 22:41 ` H. Peter Anvin
@ 2014-04-13 9:45 ` ville.syrjala
2014-04-14 7:22 ` [tip:x86/urgent] " tip-bot for Ville Syrjälä
0 siblings, 1 reply; 7+ messages in thread
From: ville.syrjala @ 2014-04-13 9:45 UTC (permalink / raw)
To: linux-kernel; +Cc: H. Peter Anvin, Bjorn Helgaas, Ingo Molnar
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
Have the KB(),MB(),GB() macros produce unsigned longs to avoid
uninteded sign extension issues with the gen2 memory size detection.
What happens is first the uint8_t returned by read_pci_config_byte()
gets promoted to an int which gets multiplied by another int from the
MB() macro, and finally the result gets sign extended to size_t.
Although this shouldn't be a problem in practice as all affected gen2
platforms are 32bit AFAIK, so size_t will be 32 bits.
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
---
arch/x86/kernel/early-quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/early-quirks.c b/arch/x86/kernel/early-quirks.c
index b0cc380..6e2537c 100644
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -240,7 +240,7 @@ static u32 __init intel_stolen_base(int num, int slot, int func, size_t stolen_s
return base;
}
-#define KB(x) ((x) * 1024)
+#define KB(x) ((x) * 1024UL)
#define MB(x) (KB (KB (x)))
#define GB(x) (MB (KB (x)))
--
1.8.3.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [tip:x86/urgent] x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks
2014-04-13 9:45 ` [PATCH] x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks ville.syrjala
@ 2014-04-14 7:22 ` tip-bot for Ville Syrjälä
0 siblings, 0 replies; 7+ messages in thread
From: tip-bot for Ville Syrjälä @ 2014-04-14 7:22 UTC (permalink / raw)
To: linux-tip-commits; +Cc: linux-kernel, hpa, mingo, bhelgaas, ville.syrjala, tglx
Commit-ID: 86e587623a0ca8426267dad8d3eaebd6fc2d00f1
Gitweb: http://git.kernel.org/tip/86e587623a0ca8426267dad8d3eaebd6fc2d00f1
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
AuthorDate: Sun, 13 Apr 2014 12:45:03 +0300
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Mon, 14 Apr 2014 08:50:56 +0200
x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks
Have the KB(),MB(),GB() macros produce unsigned longs to avoid
unintended sign extension issues with the gen2 memory size
detection.
What happens is first the uint8_t returned by
read_pci_config_byte() gets promoted to an int which gets
multiplied by another int from the MB() macro, and finally the
result gets sign extended to size_t.
Although this shouldn't be a problem in practice as all affected
gen2 platforms are 32bit AFAIK, so size_t will be 32 bits.
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Suggested-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/1397382303-17525-1-git-send-email-ville.syrjala@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/kernel/early-quirks.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/early-quirks.c b/arch/x86/kernel/early-quirks.c
index b0cc380..6e2537c 100644
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -240,7 +240,7 @@ static u32 __init intel_stolen_base(int num, int slot, int func, size_t stolen_s
return base;
}
-#define KB(x) ((x) * 1024)
+#define KB(x) ((x) * 1024UL)
#define MB(x) (KB (KB (x)))
#define GB(x) (MB (KB (x)))
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-04-14 7:23 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <5348ea4572e7_5d4d7ac86c27677@209.249.196.67.mail>
2014-04-12 13:29 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
2014-04-12 21:41 ` Ville Syrjälä
2014-04-12 22:41 ` H. Peter Anvin
2014-04-13 9:45 ` [PATCH] x86/gpu: Fix sign extension issue in Intel graphics stolen memory quirks ville.syrjala
2014-04-14 7:22 ` [tip:x86/urgent] " tip-bot for Ville Syrjälä
2014-04-12 13:38 ` Fwd: New Defects reported by Coverity Scan for Linux Bjorn Helgaas
2014-04-12 13:44 ` Bjorn Helgaas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.