Message ID | 20220713084728.1311465-1-junxiao.chang@intel.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [1/2] net: stmmac: fix dma queue left shift overflow issue | expand |
On 7/13/2022 1:47 AM, Junxiao Chang wrote: > When queue number is > 4, left shift overflows due to 32 bits > integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. > > If CONFIG_UBSAN is enabled, kernel dumps below warning: > [ 10.363842] ================================================================== > [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ > linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 > [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' > [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg > [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 > [ 10.363958] Call Trace: > [ 10.363960] <TASK> > [ 10.363963] dump_stack_lvl+0x4a/0x5f > [ 10.363971] dump_stack+0x10/0x12 > [ 10.363974] ubsan_epilogue+0x9/0x45 > [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e > [ 10.363979] ? wake_up_klogd+0x4a/0x50 > [ 10.363983] ? vprintk_emit+0x8f/0x240 > [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] > [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] > [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] > [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] > [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 > [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] > [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] > [ 10.364050] __dev_open+0xf0/0x1a0 > [ 10.364054] __dev_change_flags+0x188/0x1f0 > [ 10.364057] dev_change_flags+0x26/0x60 > [ 10.364059] do_setlink+0x908/0xc40 > [ 10.364062] ? do_setlink+0xb10/0xc40 > [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 > [ 10.364068] __rtnl_newlink+0x597/0xa10 > [ 10.364072] ? __nla_reserve+0x41/0x50 > [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 > [ 10.364079] ? pskb_expand_head+0x75/0x310 > [ 10.364082] ? nla_reserve_64bit+0x21/0x40 > [ 10.364086] ? skb_free_head+0x65/0x80 > [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 > [ 10.364094] ? __cond_resched+0x19/0x30 > [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 > [ 10.364100] rtnl_newlink+0x49/0x70 > > This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue > mapping warning. > > Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") > Signed-off-by: Junxiao Chang <junxiao.chang@intel.com> Thanks for addressing it, maybe a: BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 Reported-by: Cedric Wassenaar <cedric@bytespeed.nl> would be courteous.
There are two problems in Cedric's buglink(https://bugzilla.kernel.org/show_bug.cgi?id=216195): 1. There is UBSAN shift out ouf bounds warning. 2. Ethernet PHY GPY115B error and no IP addr. I suppose my patch could fix 1st issue, not sure it could fix issue 2 or not. I will update patch and append BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 Reported-by: Cedric Wassenaar <cedric@bytespeed.nl> Thanks, Junxiao -----Original Message----- From: Florian Fainelli <f.fainelli@gmail.com> Sent: Friday, July 15, 2022 9:44 AM To: Chang, Junxiao <junxiao.chang@intel.com>; peppe.cavallaro@st.com; alexandre.torgue@foss.st.com; joabreu@synopsys.com; netdev@vger.kernel.org; Cedric Wassenaar <cedric@bytespeed.nl> Subject: Re: [PATCH 1/2] net: stmmac: fix dma queue left shift overflow issue On 7/13/2022 1:47 AM, Junxiao Chang wrote: > When queue number is > 4, left shift overflows due to 32 bits integer > variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. > > If CONFIG_UBSAN is enabled, kernel dumps below warning: > [ 10.363842] ================================================================== > [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ > linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 > [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' > [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg > [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 > [ 10.363958] Call Trace: > [ 10.363960] <TASK> > [ 10.363963] dump_stack_lvl+0x4a/0x5f > [ 10.363971] dump_stack+0x10/0x12 > [ 10.363974] ubsan_epilogue+0x9/0x45 > [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e > [ 10.363979] ? wake_up_klogd+0x4a/0x50 > [ 10.363983] ? vprintk_emit+0x8f/0x240 > [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] > [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] > [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] > [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] > [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 > [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] > [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] > [ 10.364050] __dev_open+0xf0/0x1a0 > [ 10.364054] __dev_change_flags+0x188/0x1f0 > [ 10.364057] dev_change_flags+0x26/0x60 > [ 10.364059] do_setlink+0x908/0xc40 > [ 10.364062] ? do_setlink+0xb10/0xc40 > [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 > [ 10.364068] __rtnl_newlink+0x597/0xa10 > [ 10.364072] ? __nla_reserve+0x41/0x50 > [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 > [ 10.364079] ? pskb_expand_head+0x75/0x310 > [ 10.364082] ? nla_reserve_64bit+0x21/0x40 > [ 10.364086] ? skb_free_head+0x65/0x80 > [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 > [ 10.364094] ? __cond_resched+0x19/0x30 > [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 > [ 10.364100] rtnl_newlink+0x49/0x70 > > This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue > mapping warning. > > Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") > Signed-off-by: Junxiao Chang <junxiao.chang@intel.com> Thanks for addressing it, maybe a: BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 Reported-by: Cedric Wassenaar <cedric@bytespeed.nl> would be courteous. -- Florian
(please do not top post) On 7/14/2022 6:59 PM, Chang, Junxiao wrote: > There are two problems in Cedric's buglink(https://bugzilla.kernel.org/show_bug.cgi?id=216195): > 1. There is UBSAN shift out ouf bounds warning. > 2. Ethernet PHY GPY115B error and no IP addr. > > I suppose my patch could fix 1st issue, not sure it could fix issue 2 or not. Agreed, I think those are two unrelated problems your patch does definitively fix the undefined behavior. Thanks! > I will update patch and append > BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 > Reported-by: Cedric Wassenaar <cedric@bytespeed.nl> > > Thanks, > Junxiao > > -----Original Message----- > From: Florian Fainelli <f.fainelli@gmail.com> > Sent: Friday, July 15, 2022 9:44 AM > To: Chang, Junxiao <junxiao.chang@intel.com>; peppe.cavallaro@st.com; alexandre.torgue@foss.st.com; joabreu@synopsys.com; netdev@vger.kernel.org; Cedric Wassenaar <cedric@bytespeed.nl> > Subject: Re: [PATCH 1/2] net: stmmac: fix dma queue left shift overflow issue > > > > On 7/13/2022 1:47 AM, Junxiao Chang wrote: >> When queue number is > 4, left shift overflows due to 32 bits integer >> variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. >> >> If CONFIG_UBSAN is enabled, kernel dumps below warning: >> [ 10.363842] ================================================================== >> [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ >> linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 >> [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' >> [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg >> [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 >> [ 10.363958] Call Trace: >> [ 10.363960] <TASK> >> [ 10.363963] dump_stack_lvl+0x4a/0x5f >> [ 10.363971] dump_stack+0x10/0x12 >> [ 10.363974] ubsan_epilogue+0x9/0x45 >> [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e >> [ 10.363979] ? wake_up_klogd+0x4a/0x50 >> [ 10.363983] ? vprintk_emit+0x8f/0x240 >> [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] >> [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] >> [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] >> [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] >> [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 >> [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] >> [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] >> [ 10.364050] __dev_open+0xf0/0x1a0 >> [ 10.364054] __dev_change_flags+0x188/0x1f0 >> [ 10.364057] dev_change_flags+0x26/0x60 >> [ 10.364059] do_setlink+0x908/0xc40 >> [ 10.364062] ? do_setlink+0xb10/0xc40 >> [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 >> [ 10.364068] __rtnl_newlink+0x597/0xa10 >> [ 10.364072] ? __nla_reserve+0x41/0x50 >> [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 >> [ 10.364079] ? pskb_expand_head+0x75/0x310 >> [ 10.364082] ? nla_reserve_64bit+0x21/0x40 >> [ 10.364086] ? skb_free_head+0x65/0x80 >> [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 >> [ 10.364094] ? __cond_resched+0x19/0x30 >> [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 >> [ 10.364100] rtnl_newlink+0x49/0x70 >> >> This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue >> mapping warning. >> >> Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") >> Signed-off-by: Junxiao Chang <junxiao.chang@intel.com> > > Thanks for addressing it, maybe a: > > BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 > Reported-by: Cedric Wassenaar <cedric@bytespeed.nl> > > would be courteous. > -- > Florian
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c index 96e5d39bb2600..c4d1072fbea39 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c @@ -269,6 +269,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan) if (queue == 0 || queue == 4) { value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK; value |= MTL_RXQ_DMA_Q04MDMACH(chan); + } else if (queue > 4) { + value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4); + value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4); } else { value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue); value |= MTL_RXQ_DMA_QXMDMACH(chan, queue);
When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] <TASK> [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") Signed-off-by: Junxiao Chang <junxiao.chang@intel.com> --- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 +++ 1 file changed, 3 insertions(+)