Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
From: David Laight <David.Laight@ACULAB.COM>
To: 'Peter Chen' <peter.chen@nxp.com>, Felipe Balbi <balbi@kernel.org>
Cc: "pawell@cadence.com" <pawell@cadence.com>,
	"rogerq@ti.com" <rogerq@ti.com>,
	"linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
	dl-linux-imx <linux-imx@nxp.com>,
	"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
	Jun Li <jun.li@nxp.com>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH 1/3] usb: cdns3: gadget: suspicious implicit sign extension
Date: Tue, 27 Oct 2020 10:08:13 +0000
Message-ID: <503122a794a346da84d2554150e8deb3@AcuMS.aculab.com> (raw)
In-Reply-To: <20201027094825.GA5940@b29397-desktop>

From: Peter Chen
> Sent: 27 October 2020 09:49
> 
> On 20-10-27 11:03:29, Felipe Balbi wrote:
> >
> > Hi,
> >
> > Peter Chen <peter.chen@nxp.com> writes:
> > > For code:
> > > trb->length = cpu_to_le32(TRB_BURST_LEN(priv_ep->trb_burst_size)
> > > 	       	| TRB_LEN(length));
> > >
> > > TRB_BURST_LEN(priv_ep->trb_burst_size) may be overflow for int 32 if
> > > priv_ep->trb_burst_size is equal or larger than 0x80;
> > >
> > > Below is the Coverity warning:
> > > sign_extension: Suspicious implicit sign extension: priv_ep->trb_burst_size
> > > with type u8 (8 bits, unsigned) is promoted in priv_ep->trb_burst_size << 24
> > > to type int (32 bits, signed), then sign-extended to type unsigned long
> > > (64 bits, unsigned). If priv_ep->trb_burst_size << 24 is greater than 0x7FFFFFFF,
> > > the upper bits of the result will all be 1.
> >
> > looks like a false positive...
> >
> > > Cc: <stable@vger.kernel.org> #v5.8+
> > > Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
> > > Signed-off-by: Peter Chen <peter.chen@nxp.com>
> > > ---
> > >  drivers/usb/cdns3/gadget.h | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/usb/cdns3/gadget.h b/drivers/usb/cdns3/gadget.h
> > > index 1ccecd237530..020936cb9897 100644
> > > --- a/drivers/usb/cdns3/gadget.h
> > > +++ b/drivers/usb/cdns3/gadget.h
> > > @@ -1072,7 +1072,7 @@ struct cdns3_trb {
> > >  #define TRB_TDL_SS_SIZE_GET(p)	(((p) & GENMASK(23, 17)) >> 17)
> > >
> > >  /* transfer_len bitmasks - bits 31:24 */
> > > -#define TRB_BURST_LEN(p)	(((p) << 24) & GENMASK(31, 24))
> > > +#define TRB_BURST_LEN(p)	(unsigned int)(((p) << 24) & GENMASK(31, 24))
> >
> > ... because TRB_BURST_LEN() is used to intialize a __le32 type. Even if
> > it ends up being sign extended, the top 32-bits will be ignored.
> >
> > I'll apply, but it looks like a pointless fix. We shouldn't need it for stable
> >
> At my v2:
> 
> It is:
> #define TRB_BURST_LEN(p)	((unsigned int)((p) << 24) & GENMASK(31, 24))
> 
> It is not related to high 32-bits issue, it is sign extended issue for
> 32 bits. If p is a unsigned char data, the compiler will consider
> (p) << 24 is int, but not unsigned int. So, if the p is larger than
> 0x80, the (p) << 24 will be overflow.
> 
> If you compile the code:
> 
> unsigned int k = 0x80 << 24 + 0x81;
> 
> It will report build warning:
> warning: left shift count >= width of type [-Wshift-count-overflow]

Something like:
#define TRB_BURST_LEN(p)  (((p) + 0u) << 24)
will remove the warning.

The GENMASK() is pretty pointless - the compiler may fail to optimise
it away.
If p is 64bit the high bits should get discarded pretty quickly.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)


  reply index

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-16 10:16 [PATCH 0/3] usb: cdns3: three bug fixes for v5.10 Peter Chen
2020-10-16 10:16 ` [PATCH 1/3] usb: cdns3: gadget: suspicious implicit sign extension Peter Chen
2020-10-27  9:03   ` Felipe Balbi
2020-10-27  9:48     ` Peter Chen
2020-10-27 10:08       ` David Laight [this message]
2020-10-27 14:21       ` Alan Stern
2020-10-28  6:41         ` Peter Chen
2020-10-27  9:03   ` Felipe Balbi
2020-10-16 10:16 ` [PATCH 2/3] usb: cdns3: gadget: own the lock wrongly at the suspend routine Peter Chen
2020-10-27  9:08   ` Felipe Balbi
2020-10-27  9:08   ` Felipe Balbi
2020-10-16 10:16 ` [PATCH 3/3] usb: cdns3: Fix on-chip memory overflow issue Peter Chen
2020-10-27  9:11   ` Felipe Balbi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=503122a794a346da84d2554150e8deb3@AcuMS.aculab.com \
    --to=david.laight@aculab.com \
    --cc=balbi@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=jun.li@nxp.com \
    --cc=linux-imx@nxp.com \
    --cc=linux-usb@vger.kernel.org \
    --cc=pawell@cadence.com \
    --cc=peter.chen@nxp.com \
    --cc=rogerq@ti.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git