linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer
@ 2019-10-02 11:55 Colin King
  2019-10-02 12:23 ` Mark Rutland
  0 siblings, 1 reply; 3+ messages in thread
From: Colin King @ 2019-10-02 11:55 UTC (permalink / raw)
  To: Kan Liang, Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Mark Rutland, Alexander Shishkin, Jiri Olsa, Namhyung Kim,
	Thomas Gleixner, Borislav Petkov, H . Peter Anvin, x86
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
will end up with an overflow when pci_dword greater than 0x1ff. Fix this
by casting pci_dword to a resource_size_t before masking and shifting it.

Addresses-Coverity: ("Unintentional integer overflow")
Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 arch/x86/events/intel/uncore_snbep.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index b10a5ec79e48..ed69df1340d9 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -4415,7 +4415,7 @@ static void snr_uncore_mmio_init_box(struct intel_uncore_box *box)
 		return;
 
 	pci_read_config_dword(pdev, SNR_IMC_MMIO_BASE_OFFSET, &pci_dword);
-	addr = (pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
+	addr = ((resource_size_t)pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
 
 	pci_read_config_dword(pdev, SNR_IMC_MMIO_MEM0_OFFSET, &pci_dword);
 	addr |= (pci_dword & SNR_IMC_MMIO_MEM0_MASK) << 12;
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer
  2019-10-02 11:55 [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer Colin King
@ 2019-10-02 12:23 ` Mark Rutland
  2019-10-02 12:38   ` Colin Ian King
  0 siblings, 1 reply; 3+ messages in thread
From: Mark Rutland @ 2019-10-02 12:23 UTC (permalink / raw)
  To: Colin King
  Cc: Kan Liang, Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, Thomas Gleixner,
	Borislav Petkov, H . Peter Anvin, x86, kernel-janitors,
	linux-kernel

On Wed, Oct 02, 2019 at 12:55:45PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
> will end up with an overflow when pci_dword greater than 0x1ff. Fix this
> by casting pci_dword to a resource_size_t before masking and shifting it.
> 
> Addresses-Coverity: ("Unintentional integer overflow")

I don't see that tag in Documentation/process/submitting-patches.rst ;)

IIUC this is unintented truncation of the upper bits due to missing type
promotion before the shift, rather than overflow (i.e. the value
wrapping across addition/subtraction), so I think the wording is
slightly misleading.

Does coverity call that integer overflow?

It might be better to say:

| [PATCH] perf/x86/intel/uncore: don't truncate upper bits of address
|
| Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
| by 23 will throw away the upper 23 bits of the potentially 64-bit
| address. Fix this by casting pci_dword to a resource_size_t before
| masking and shifting it.
|
| Found by coverity ("Unintentional integer overflow").

Otherwise, the patch looks fine to me:

Acked-by: Mark Rutland <mark.rutland@arm.com>

Thanks,
Mark.

> Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  arch/x86/events/intel/uncore_snbep.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
> index b10a5ec79e48..ed69df1340d9 100644
> --- a/arch/x86/events/intel/uncore_snbep.c
> +++ b/arch/x86/events/intel/uncore_snbep.c
> @@ -4415,7 +4415,7 @@ static void snr_uncore_mmio_init_box(struct intel_uncore_box *box)
>  		return;
>  
>  	pci_read_config_dword(pdev, SNR_IMC_MMIO_BASE_OFFSET, &pci_dword);
> -	addr = (pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
> +	addr = ((resource_size_t)pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
>  
>  	pci_read_config_dword(pdev, SNR_IMC_MMIO_MEM0_OFFSET, &pci_dword);
>  	addr |= (pci_dword & SNR_IMC_MMIO_MEM0_MASK) << 12;
> -- 
> 2.20.1
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer
  2019-10-02 12:23 ` Mark Rutland
@ 2019-10-02 12:38   ` Colin Ian King
  0 siblings, 0 replies; 3+ messages in thread
From: Colin Ian King @ 2019-10-02 12:38 UTC (permalink / raw)
  To: Mark Rutland
  Cc: Kan Liang, Peter Zijlstra, Ingo Molnar, Arnaldo Carvalho de Melo,
	Alexander Shishkin, Jiri Olsa, Namhyung Kim, Thomas Gleixner,
	Borislav Petkov, H . Peter Anvin, x86, kernel-janitors,
	linux-kernel

On 02/10/2019 13:23, Mark Rutland wrote:
> On Wed, Oct 02, 2019 at 12:55:45PM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
>> will end up with an overflow when pci_dword greater than 0x1ff. Fix this
>> by casting pci_dword to a resource_size_t before masking and shifting it.
>>
>> Addresses-Coverity: ("Unintentional integer overflow")
> 
> I don't see that tag in Documentation/process/submitting-patches.rst ;)
> 
> IIUC this is unintented truncation of the upper bits due to missing type
> promotion before the shift, rather than overflow (i.e. the value
> wrapping across addition/subtraction), so I think the wording is
> slightly misleading.
> 
> Does coverity call that integer overflow?

Coverity calls it "Unintentional integer overflow". I suspect Coverity
first spots the overflow before the truncation occurs and so flags that
up as the root cause.

> 
> It might be better to say:
> 
> | [PATCH] perf/x86/intel/uncore: don't truncate upper bits of address
> |
> | Shifting the u32 integer result of (pci_dword & SNR_IMC_MMIO_BASE_MASK)
> | by 23 will throw away the upper 23 bits of the potentially 64-bit
> | address. Fix this by casting pci_dword to a resource_size_t before
> | masking and shifting it.
> |
> | Found by coverity ("Unintentional integer overflow").
> 
> Otherwise, the patch looks fine to me:
> 
> Acked-by: Mark Rutland <mark.rutland@arm.com>
> 
> Thanks,
> Mark.
> 
>> Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>>  arch/x86/events/intel/uncore_snbep.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
>> index b10a5ec79e48..ed69df1340d9 100644
>> --- a/arch/x86/events/intel/uncore_snbep.c
>> +++ b/arch/x86/events/intel/uncore_snbep.c
>> @@ -4415,7 +4415,7 @@ static void snr_uncore_mmio_init_box(struct intel_uncore_box *box)
>>  		return;
>>  
>>  	pci_read_config_dword(pdev, SNR_IMC_MMIO_BASE_OFFSET, &pci_dword);
>> -	addr = (pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
>> +	addr = ((resource_size_t)pci_dword & SNR_IMC_MMIO_BASE_MASK) << 23;
>>  
>>  	pci_read_config_dword(pdev, SNR_IMC_MMIO_MEM0_OFFSET, &pci_dword);
>>  	addr |= (pci_dword & SNR_IMC_MMIO_MEM0_MASK) << 12;
>> -- 
>> 2.20.1
>>


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-02 12:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-02 11:55 [PATCH] perf/x86/intel/uncore: fix integer overflow on shift of a u32 integer Colin King
2019-10-02 12:23 ` Mark Rutland
2019-10-02 12:38   ` Colin Ian King

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).