* [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer
@ 2019-10-02 11:55 Colin King
2019-10-02 12:23 ` Mark Rutland
0 siblings, 1 reply; 3+ messages in thread
From: Colin King @ 2019-10-02 11:55 UTC (permalink / raw)
To: Kan Liang, Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
Thomas Gleixner, Borislav Petkov, H . Peter Anvin, x86
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
will end up with an overflow when pci_dword greater than 0x1ff. Fix this
by casting pci_dword to a resource_size_t before masking and shifting it.
Addresses-Coverity: ("Unintentional integer overflow")
Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
arch/x86/events/intel/uncore_snbep.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index b10a5ec79e48..ed69df1340d9 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -4415,7 +4415,7 @@ static void snr_uncore_mmio_init_box(struct intel_uncore_box *box)
return;
pci_read_config_dword(pdev, SNR_IMC_MMIO_BASE_OFFSET, &pci_dword);
- addr = (pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
+ addr = ((resource_size_t)pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
pci_read_config_dword(pdev, SNR_IMC_MMIO_MEM0_OFFSET, &pci_dword);
addr |= (pci_dword & SNR_IMC_MMIO_MEM0_MASK) << 12;
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer
2019-10-02 11:55 [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer Colin King
@ 2019-10-02 12:23 ` Mark Rutland
2019-10-02 12:38 ` Colin Ian King
0 siblings, 1 reply; 3+ messages in thread
From: Mark Rutland @ 2019-10-02 12:23 UTC (permalink / raw)
To: Colin King
Cc: Kan Liang, Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Alexander Shishkin, Jiri Olsa, Namhyung Kim, Thomas Gleixner,
Borislav Petkov, H . Peter Anvin, x86, kernel-janitors,
linux-kernel
On Wed, Oct 02, 2019 at 12:55:45PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
> will end up with an overflow when pci_dword greater than 0x1ff. Fix this
> by casting pci_dword to a resource_size_t before masking and shifting it.
>
> Addresses-Coverity: ("Unintentional integer overflow")
I don't see that tag in Documentation/process/submitting-patches.rst ;)
IIUC this is unintented truncation of the upper bits due to missing type
promotion before the shift, rather than overflow (i.e. the value
wrapping across addition/subtraction), so I think the wording is
slightly misleading.
Does coverity call that integer overflow?
It might be better to say:
| [PATCH] perf/x86/intel/uncore: don't truncate upper bits of address
|
| Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
| by 23 will throw away the upper 23 bits of the potentially 64-bit
| address. Fix this by casting pci_dword to a resource_size_t before
| masking and shifting it.
|
| Found by coverity ("Unintentional integer overflow").
Otherwise, the patch looks fine to me:
Acked-by: Mark Rutland <mark.rutland@arm.com>
Thanks,
Mark.
> Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> arch/x86/events/intel/uncore_snbep.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
> index b10a5ec79e48..ed69df1340d9 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -4415,7 +4415,7 @@ static void snr_uncore_mmio_init_box(struct intel_uncore_box *box)
> return;
>
> pci_read_config_dword(pdev, SNR_IMC_MMIO_BASE_OFFSET, &pci_dword);
> - addr = (pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
> + addr = ((resource_size_t)pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
>
> pci_read_config_dword(pdev, SNR_IMC_MMIO_MEM0_OFFSET, &pci_dword);
> addr |= (pci_dword & SNR_IMC_MMIO_MEM0_MASK) << 12;
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer
2019-10-02 12:23 ` Mark Rutland
@ 2019-10-02 12:38 ` Colin Ian King
0 siblings, 0 replies; 3+ messages in thread
From: Colin Ian King @ 2019-10-02 12:38 UTC (permalink / raw)
To: Mark Rutland
Cc: Kan Liang, Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
Alexander Shishkin, Jiri Olsa, Namhyung Kim, Thomas Gleixner,
Borislav Petkov, H . Peter Anvin, x86, kernel-janitors,
linux-kernel
On 02/10/2019 13:23, Mark Rutland wrote:
> On Wed, Oct 02, 2019 at 12:55:45PM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
>> will end up with an overflow when pci_dword greater than 0x1ff. Fix this
>> by casting pci_dword to a resource_size_t before masking and shifting it.
>>
>> Addresses-Coverity: ("Unintentional integer overflow")
>
> I don't see that tag in Documentation/process/submitting-patches.rst ;)
>
> IIUC this is unintented truncation of the upper bits due to missing type
> promotion before the shift, rather than overflow (i.e. the value
> wrapping across addition/subtraction), so I think the wording is
> slightly misleading.
>
> Does coverity call that integer overflow?
Coverity calls it "Unintentional integer overflow". I suspect Coverity
first spots the overflow before the truncation occurs and so flags that
up as the root cause.
>
> It might be better to say:
>
> | [PATCH] perf/x86/intel/uncore: don't truncate upper bits of address
> |
> | Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
> | by 23 will throw away the upper 23 bits of the potentially 64-bit
> | address. Fix this by casting pci_dword to a resource_size_t before
> | masking and shifting it.
> |
> | Found by coverity ("Unintentional integer overflow").
>
> Otherwise, the patch looks fine to me:
>
> Acked-by: Mark Rutland <mark.rutland@arm.com>
>
> Thanks,
> Mark.
>
>> Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>> arch/x86/events/intel/uncore_snbep.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
>> index b10a5ec79e48..ed69df1340d9 100644
>> --- a/arch/x86/events/intel/uncore_snbep.c
>> +++ b/arch/x86/events/intel/uncore_snbep.c
>> @@ -4415,7 +4415,7 @@ static void snr_uncore_mmio_init_box(struct intel_uncore_box *box)
>> return;
>>
>> pci_read_config_dword(pdev, SNR_IMC_MMIO_BASE_OFFSET, &pci_dword);
>> - addr = (pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
>> + addr = ((resource_size_t)pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
>>
>> pci_read_config_dword(pdev, SNR_IMC_MMIO_MEM0_OFFSET, &pci_dword);
>> addr |= (pci_dword & SNR_IMC_MMIO_MEM0_MASK) << 12;
>> --
>> 2.20.1
>>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-02 12:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-02 11:55 [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer Colin King
2019-10-02 12:23 ` Mark Rutland
2019-10-02 12:38 ` Colin Ian King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).