All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Cedric Wassenaar <cedric@bytespeed.nl>,
	Junxiao Chang <junxiao.chang@intel.com>,
	Florian Fainelli <f.fainelli@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 15/62] net: stmmac: fix dma queue left shift overflow issue
Date: Wed, 27 Jul 2022 18:10:24 +0200	[thread overview]
Message-ID: <20220727161004.781641985@linuxfoundation.org> (raw)
In-Reply-To: <20220727161004.175638564@linuxfoundation.org>

From: Junxiao Chang <junxiao.chang@intel.com>

[ Upstream commit 613b065ca32e90209024ec4a6bb5ca887ee70980 ]

When queue number is > 4, left shift overflows due to 32 bits
integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.

If CONFIG_UBSAN is enabled, kernel dumps below warning:
[   10.363842] ==================================================================
[   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
[   10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
[   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
[   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
[   10.363958] Call Trace:
[   10.363960]  <TASK>
[   10.363963]  dump_stack_lvl+0x4a/0x5f
[   10.363971]  dump_stack+0x10/0x12
[   10.363974]  ubsan_epilogue+0x9/0x45
[   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
[   10.363979]  ? wake_up_klogd+0x4a/0x50
[   10.363983]  ? vprintk_emit+0x8f/0x240
[   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
[   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
[   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
[   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
[   10.364030]  ? page_pool_alloc_pages+0x4d/0x70
[   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
[   10.364042]  stmmac_open+0x39e/0x920 [stmmac]
[   10.364050]  __dev_open+0xf0/0x1a0
[   10.364054]  __dev_change_flags+0x188/0x1f0
[   10.364057]  dev_change_flags+0x26/0x60
[   10.364059]  do_setlink+0x908/0xc40
[   10.364062]  ? do_setlink+0xb10/0xc40
[   10.364064]  ? __nla_validate_parse+0x4c/0x1a0
[   10.364068]  __rtnl_newlink+0x597/0xa10
[   10.364072]  ? __nla_reserve+0x41/0x50
[   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0
[   10.364079]  ? pskb_expand_head+0x75/0x310
[   10.364082]  ? nla_reserve_64bit+0x21/0x40
[   10.364086]  ? skb_free_head+0x65/0x80
[   10.364089]  ? security_sock_rcv_skb+0x2c/0x50
[   10.364094]  ? __cond_resched+0x19/0x30
[   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420
[   10.364100]  rtnl_newlink+0x49/0x70

This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
mapping warning.

Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>
Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
index bc8871e7351f..00b6af0b2f3a 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
@@ -222,6 +222,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan)
 	if (queue == 0 || queue == 4) {
 		value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK;
 		value |= MTL_RXQ_DMA_Q04MDMACH(chan);
+	} else if (queue > 4) {
+		value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4);
+		value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4);
 	} else {
 		value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue);
 		value |= MTL_RXQ_DMA_QXMDMACH(chan, queue);
-- 
2.35.1




  parent reply	other threads:[~2022-07-27 16:32 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-27 16:10 [PATCH 4.19 00/62] 4.19.254-rc1 review Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 01/62] riscv: add as-options for modules with assembly compontents Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 02/62] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 03/62] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 04/62] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 05/62] pinctrl: ralink: Check for null return of devm_kcalloc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 06/62] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 07/62] ip: Fix data-races around sysctl_ip_fwd_use_pmtu Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 08/62] ip: Fix data-races around sysctl_ip_nonlocal_bind Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 09/62] ip: Fix a data-race around sysctl_fwmark_reflect Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 10/62] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 11/62] tcp: Fix data-races around sysctl_tcp_mtu_probing Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 12/62] tcp: Fix a data-race around sysctl_tcp_probe_threshold Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 13/62] tcp: Fix a data-race around sysctl_tcp_probe_interval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 14/62] i2c: cadence: Change large transfer count reset logic to be unconditional Greg Kroah-Hartman
2022-07-27 16:10 ` Greg Kroah-Hartman [this message]
2022-07-27 16:10 ` [PATCH 4.19 16/62] net/tls: Fix race in TLS device down flow Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 17/62] igmp: Fix data-races around sysctl_igmp_llm_reports Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 18/62] igmp: Fix a data-race around sysctl_igmp_max_memberships Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 19/62] tcp: Fix data-races around sysctl_tcp_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 20/62] tcp: Fix data-races around some timeout sysctl knobs Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 21/62] tcp: Fix a data-race around sysctl_tcp_notsent_lowat Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 22/62] tcp: Fix a data-race around sysctl_tcp_tw_reuse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 23/62] tcp: Fix data-races around sysctl_tcp_fastopen Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 24/62] be2net: Fix buffer overflow in be_get_module_eeprom Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 25/62] tcp: Fix a data-race around sysctl_tcp_early_retrans Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 26/62] tcp: Fix data-races around sysctl_tcp_recovery Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 27/62] tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 28/62] tcp: Fix data-races around sysctl_tcp_slow_start_after_idle Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 29/62] tcp: Fix a data-race around sysctl_tcp_retrans_collapse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 30/62] tcp: Fix a data-race around sysctl_tcp_stdurg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 31/62] tcp: Fix a data-race around sysctl_tcp_rfc1337 Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 32/62] tcp: Fix data-races around sysctl_tcp_max_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 33/62] Revert "Revert "char/random: silence a lockdep splat with printk()"" Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 34/62] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 35/62] bpf: Make sure mac_header was set before using it Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 36/62] drm/tilcdc: Remove obsolete crtc_mode_valid() hack Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 37/62] tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 38/62] HID: multitouch: simplify the application retrieval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 39/62] HID: multitouch: Lenovo X1 Tablet Gen3 trackpoint and buttons Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 40/62] HID: multitouch: add support for the Smart Tech panel Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 41/62] HID: add ALWAYS_POLL quirk to lenovo pixart mouse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 42/62] dlm: fix pending remove if msg allocation fails Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 43/62] ima: remove the IMA_TEMPLATE Kconfig option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 44/62] ALSA: memalloc: Align buffer allocations in page size Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 45/62] Bluetooth: Add bt_skb_sendmsg helper Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 46/62] Bluetooth: Add bt_skb_sendmmsg helper Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 47/62] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 48/62] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 49/62] Bluetooth: Fix passing NULL to PTR_ERR Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 50/62] Bluetooth: SCO: Fix sco_send_frame returning skb->len Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 51/62] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 52/62] serial: mvebu-uart: correctly report configured baudrate value Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 53/62] tty: drivers/tty/, stop using tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 54/62] tty: the rest, " Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 55/62] tty: drop tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 56/62] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 57/62] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 58/62] net: usb: ax88179_178a needs FLAG_SEND_ZLP Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 59/62] PCI: hv: Fix multi-MSI to allow more than one MSI vector Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 60/62] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 61/62] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 62/62] PCI: hv: Fix interrupt mapping for multi-MSI Greg Kroah-Hartman
2022-07-28  9:42 ` [PATCH 4.19 00/62] 4.19.254-rc1 review Pavel Machek
2022-07-28  9:45 ` Naresh Kamboju
2022-07-28 14:31 ` Sudip Mukherjee (Codethink)
2022-07-28 14:32 ` Jon Hunter
2022-07-28 14:51 ` Shuah Khan
2022-07-28 22:58 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220727161004.781641985@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=cedric@bytespeed.nl \
    --cc=davem@davemloft.net \
    --cc=f.fainelli@gmail.com \
    --cc=junxiao.chang@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.