All of lore.kernel.org
 help / color / mirror / Atom feed
* re: dmaengine: idxd: fix submission race window
@ 2021-07-22 18:56 Colin Ian King
  0 siblings, 0 replies; only message in thread
From: Colin Ian King @ 2021-07-22 18:56 UTC (permalink / raw)
  To: Dave Jiang; +Cc: Vinod Koul, dmaengine, linux-kernel

Hi,

Static analysis with Coverity on Linux-next has found an issue with the
following commit:

commit 6b4b87f2c31ac1af4f244990a7cbfb50d3f3e33f
Author: Dave Jiang <dave.jiang@intel.com>
Date:   Wed Jul 14 11:50:06 2021 -0700

    dmaengine: idxd: fix submission race window

The analysis is as follows:

180static int irq_process_pending_llist(struct idxd_irq_entry *irq_entry,
181                                     int *processed, u64 data)
182{
183        struct idxd_desc *desc, *t;
184        struct llist_node *head;
185        int queued = 0;
186        unsigned long flags;
187
188        *processed = 0;
189        head = llist_del_all(&irq_entry->pending_llist);
190        if (!head)
191                goto out;
192
193        llist_for_each_entry_safe(desc, t, head, llnode) {

   assignment: Assigning: status = (*desc).completion->status & 0x7f.

194                u8 status = desc->completion->status &
DSA_COMP_STATUS_MASK;
195

   cond_between: Condition status, taking true branch. Now the value of
status is between 1 and 127.
   cond_cannot_single: Condition status, taking true branch. Now the
value of status cannot be equal to 0.

196                if (status) {

   between: At condition status == IDXD_COMP_DESC_ABORT, the value of
status must be between 1 and 127.
   cond_cannot_set: Condition status == IDXD_COMP_DESC_ABORT, taking
false branch. Now the value of status cannot be equal to any of {0, 255}.

   cannot_single: At condition status == IDXD_COMP_DESC_ABORT, the value
of status cannot be equal to 0.
   dead_error_condition: The condition !!(status ==
IDXD_COMP_DESC_ABORT) cannot be true.

197                        if (unlikely(status == IDXD_COMP_DESC_ABORT)) {
   Logically dead code (DEADCODE)
   dead_error_begin: Execution cannot reach this statement:

   complete_desc(desc, IDXD_CO....

198                                complete_desc(desc, IDXD_COMPLETE_ABORT);
199                                (*processed)++;
200                                continue;
201                        }
202
203                        complete_desc(desc, IDXD_COMPLETE_NORMAL);
204                        (*processed)++;

The check (status == IDXD_COMP_DESC_ABORT) is always false since status
was previously masked with 0x7f and IDXD_COMP_DESC_ABORT is 0xff

Colin.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-07-22 18:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-22 18:56 dmaengine: idxd: fix submission race window Colin Ian King

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.