[1/2] net: stmmac: fix dma queue left shift overflow issue

Message ID	20220713084728.1311465-1-junxiao.chang@intel.com (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Junxiao Chang <junxiao.chang@intel.com> To: peppe.cavallaro@st.com, alexandre.torgue@foss.st.com, joabreu@synopsys.com, netdev@vger.kernel.org Cc: junxiao.chang@intel.com Subject: [PATCH 1/2] net: stmmac: fix dma queue left shift overflow issue Date: Wed, 13 Jul 2022 16:47:27 +0800 Message-Id: <20220713084728.1311465-1-junxiao.chang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[1/2] net: stmmac: fix dma queue left shift overflow issue \| expand [1/2] net: stmmac: fix dma queue left shift overflow issue [2/2] net: stmmac: remove duplicate dma queue channel macros

Message ID

20220713084728.1311465-1-junxiao.chang@intel.com (mailing list archive)

State

Superseded

Delegated to:

Netdev Maintainers

Headers

From: Junxiao Chang <junxiao.chang@intel.com>
To: peppe.cavallaro@st.com, alexandre.torgue@foss.st.com,
        joabreu@synopsys.com, netdev@vger.kernel.org
Cc: junxiao.chang@intel.com
Subject: [PATCH 1/2] net: stmmac: fix dma queue left shift overflow issue
Date: Wed, 13 Jul 2022 16:47:27 +0800
Message-Id: <20220713084728.1311465-1-junxiao.chang@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[1/2] net: stmmac: fix dma queue left shift overflow issue | expand

Context	Check	Description
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	warning	Target tree name not specified in the subject
netdev/cover_letter	success	Single patches do not need cover letters
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1 this patch: 1
netdev/cc_maintainers	fail	2 blamed authors not CCed: Joao.Pinto@synopsys.com davem@davemloft.net; 8 maintainers not CCed: linux-stm32@st-md-mailman.stormreply.com linux-arm-kernel@lists.infradead.org pabeni@redhat.com Joao.Pinto@synopsys.com davem@davemloft.net edumazet@google.com kuba@kernel.org mcoquelin.stm32@gmail.com
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1 this patch: 1
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/subject_prefix

warning

Target tree name not specified in the subject

netdev/cover_letter

success

Single patches do not need cover letters

netdev/patch_count

success

Link

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1 this patch: 1

netdev/cc_maintainers

fail

2 blamed authors not CCed: Joao.Pinto@synopsys.com davem@davemloft.net; 8 maintainers not CCed: linux-stm32@st-md-mailman.stormreply.com linux-arm-kernel@lists.infradead.org pabeni@redhat.com Joao.Pinto@synopsys.com davem@davemloft.net edumazet@google.com kuba@kernel.org mcoquelin.stm32@gmail.com

netdev/build_clang

success

Errors and warnings before: 0 this patch: 0

netdev/module_param

success

Was 0 now: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1 this patch: 1

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 9 lines checked

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Chang, Junxiao July 13, 2022, 8:47 a.m. UTC

When queue number is > 4, left shift overflows due to 32 bits
integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.

If CONFIG_UBSAN is enabled, kernel dumps below warning:
[   10.363842] ==================================================================
[   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
[   10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
[   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
[   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
[   10.363958] Call Trace:
[   10.363960]  <TASK>
[   10.363963]  dump_stack_lvl+0x4a/0x5f
[   10.363971]  dump_stack+0x10/0x12
[   10.363974]  ubsan_epilogue+0x9/0x45
[   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
[   10.363979]  ? wake_up_klogd+0x4a/0x50
[   10.363983]  ? vprintk_emit+0x8f/0x240
[   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
[   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
[   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
[   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
[   10.364030]  ? page_pool_alloc_pages+0x4d/0x70
[   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
[   10.364042]  stmmac_open+0x39e/0x920 [stmmac]
[   10.364050]  __dev_open+0xf0/0x1a0
[   10.364054]  __dev_change_flags+0x188/0x1f0
[   10.364057]  dev_change_flags+0x26/0x60
[   10.364059]  do_setlink+0x908/0xc40
[   10.364062]  ? do_setlink+0xb10/0xc40
[   10.364064]  ? __nla_validate_parse+0x4c/0x1a0
[   10.364068]  __rtnl_newlink+0x597/0xa10
[   10.364072]  ? __nla_reserve+0x41/0x50
[   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0
[   10.364079]  ? pskb_expand_head+0x75/0x310
[   10.364082]  ? nla_reserve_64bit+0x21/0x40
[   10.364086]  ? skb_free_head+0x65/0x80
[   10.364089]  ? security_sock_rcv_skb+0x2c/0x50
[   10.364094]  ? __cond_resched+0x19/0x30
[   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420
[   10.364100]  rtnl_newlink+0x49/0x70

This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
mapping warning.

Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Florian Fainelli July 15, 2022, 1:43 a.m. UTC | #1

On 7/13/2022 1:47 AM, Junxiao Chang wrote:
> When queue number is > 4, left shift overflows due to 32 bits
> integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.
> 
> If CONFIG_UBSAN is enabled, kernel dumps below warning:
> [   10.363842] ==================================================================
> [   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
> linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
> [   10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
> [   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
> [   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
> [   10.363958] Call Trace:
> [   10.363960]  <TASK>
> [   10.363963]  dump_stack_lvl+0x4a/0x5f
> [   10.363971]  dump_stack+0x10/0x12
> [   10.363974]  ubsan_epilogue+0x9/0x45
> [   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
> [   10.363979]  ? wake_up_klogd+0x4a/0x50
> [   10.363983]  ? vprintk_emit+0x8f/0x240
> [   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
> [   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
> [   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
> [   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
> [   10.364030]  ? page_pool_alloc_pages+0x4d/0x70
> [   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
> [   10.364042]  stmmac_open+0x39e/0x920 [stmmac]
> [   10.364050]  __dev_open+0xf0/0x1a0
> [   10.364054]  __dev_change_flags+0x188/0x1f0
> [   10.364057]  dev_change_flags+0x26/0x60
> [   10.364059]  do_setlink+0x908/0xc40
> [   10.364062]  ? do_setlink+0xb10/0xc40
> [   10.364064]  ? __nla_validate_parse+0x4c/0x1a0
> [   10.364068]  __rtnl_newlink+0x597/0xa10
> [   10.364072]  ? __nla_reserve+0x41/0x50
> [   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0
> [   10.364079]  ? pskb_expand_head+0x75/0x310
> [   10.364082]  ? nla_reserve_64bit+0x21/0x40
> [   10.364086]  ? skb_free_head+0x65/0x80
> [   10.364089]  ? security_sock_rcv_skb+0x2c/0x50
> [   10.364094]  ? __cond_resched+0x19/0x30
> [   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420
> [   10.364100]  rtnl_newlink+0x49/0x70
> 
> This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
> mapping warning.
> 
> Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
> Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>

Thanks for addressing it, maybe a:

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>

would be courteous.

Chang, Junxiao July 15, 2022, 1:59 a.m. UTC | #2

There are two problems in Cedric's buglink(https://bugzilla.kernel.org/show_bug.cgi?id=216195):
1. There is UBSAN shift out ouf bounds warning.
2. Ethernet PHY GPY115B error and no IP addr.

I suppose my patch could fix 1st issue, not sure it could fix issue 2 or not.
I will update patch and append
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>

Thanks,
Junxiao

-----Original Message-----
From: Florian Fainelli <f.fainelli@gmail.com> 
Sent: Friday, July 15, 2022 9:44 AM
To: Chang, Junxiao <junxiao.chang@intel.com>; peppe.cavallaro@st.com; alexandre.torgue@foss.st.com; joabreu@synopsys.com; netdev@vger.kernel.org; Cedric Wassenaar <cedric@bytespeed.nl>
Subject: Re: [PATCH 1/2] net: stmmac: fix dma queue left shift overflow issue



On 7/13/2022 1:47 AM, Junxiao Chang wrote:
> When queue number is > 4, left shift overflows due to 32 bits integer 
> variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.
> 
> If CONFIG_UBSAN is enabled, kernel dumps below warning:
> [   10.363842] ==================================================================
> [   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
> linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
> [   10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
> [   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
> [   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
> [   10.363958] Call Trace:
> [   10.363960]  <TASK>
> [   10.363963]  dump_stack_lvl+0x4a/0x5f
> [   10.363971]  dump_stack+0x10/0x12
> [   10.363974]  ubsan_epilogue+0x9/0x45
> [   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
> [   10.363979]  ? wake_up_klogd+0x4a/0x50
> [   10.363983]  ? vprintk_emit+0x8f/0x240
> [   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
> [   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
> [   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
> [   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
> [   10.364030]  ? page_pool_alloc_pages+0x4d/0x70
> [   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
> [   10.364042]  stmmac_open+0x39e/0x920 [stmmac]
> [   10.364050]  __dev_open+0xf0/0x1a0
> [   10.364054]  __dev_change_flags+0x188/0x1f0
> [   10.364057]  dev_change_flags+0x26/0x60
> [   10.364059]  do_setlink+0x908/0xc40
> [   10.364062]  ? do_setlink+0xb10/0xc40
> [   10.364064]  ? __nla_validate_parse+0x4c/0x1a0
> [   10.364068]  __rtnl_newlink+0x597/0xa10
> [   10.364072]  ? __nla_reserve+0x41/0x50
> [   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0
> [   10.364079]  ? pskb_expand_head+0x75/0x310
> [   10.364082]  ? nla_reserve_64bit+0x21/0x40
> [   10.364086]  ? skb_free_head+0x65/0x80
> [   10.364089]  ? security_sock_rcv_skb+0x2c/0x50
> [   10.364094]  ? __cond_resched+0x19/0x30
> [   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420
> [   10.364100]  rtnl_newlink+0x49/0x70
> 
> This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue 
> mapping warning.
> 
> Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
> Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>

Thanks for addressing it, maybe a:

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>

would be courteous.
--
Florian

Florian Fainelli July 15, 2022, 2:02 a.m. UTC | #3

(please do not top post)

On 7/14/2022 6:59 PM, Chang, Junxiao wrote:
> There are two problems in Cedric's buglink(https://bugzilla.kernel.org/show_bug.cgi?id=216195):
> 1. There is UBSAN shift out ouf bounds warning.
> 2. Ethernet PHY GPY115B error and no IP addr.
> 
> I suppose my patch could fix 1st issue, not sure it could fix issue 2 or not.

Agreed, I think those are two unrelated problems your patch does 
definitively fix the undefined behavior. Thanks!

> I will update patch and append
> BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
> Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>
> 
> Thanks,
> Junxiao
> 
> -----Original Message-----
> From: Florian Fainelli <f.fainelli@gmail.com>
> Sent: Friday, July 15, 2022 9:44 AM
> To: Chang, Junxiao <junxiao.chang@intel.com>; peppe.cavallaro@st.com; alexandre.torgue@foss.st.com; joabreu@synopsys.com; netdev@vger.kernel.org; Cedric Wassenaar <cedric@bytespeed.nl>
> Subject: Re: [PATCH 1/2] net: stmmac: fix dma queue left shift overflow issue
> 
> 
> 
> On 7/13/2022 1:47 AM, Junxiao Chang wrote:
>> When queue number is > 4, left shift overflows due to 32 bits integer
>> variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.
>>
>> If CONFIG_UBSAN is enabled, kernel dumps below warning:
>> [   10.363842] ==================================================================
>> [   10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
>> linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
>> [   10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
>> [   10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
>> [   10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
>> [   10.363958] Call Trace:
>> [   10.363960]  <TASK>
>> [   10.363963]  dump_stack_lvl+0x4a/0x5f
>> [   10.363971]  dump_stack+0x10/0x12
>> [   10.363974]  ubsan_epilogue+0x9/0x45
>> [   10.363976]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
>> [   10.363979]  ? wake_up_klogd+0x4a/0x50
>> [   10.363983]  ? vprintk_emit+0x8f/0x240
>> [   10.363986]  dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
>> [   10.364001]  stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
>> [   10.364009]  ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
>> [   10.364020]  stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
>> [   10.364030]  ? page_pool_alloc_pages+0x4d/0x70
>> [   10.364034]  ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
>> [   10.364042]  stmmac_open+0x39e/0x920 [stmmac]
>> [   10.364050]  __dev_open+0xf0/0x1a0
>> [   10.364054]  __dev_change_flags+0x188/0x1f0
>> [   10.364057]  dev_change_flags+0x26/0x60
>> [   10.364059]  do_setlink+0x908/0xc40
>> [   10.364062]  ? do_setlink+0xb10/0xc40
>> [   10.364064]  ? __nla_validate_parse+0x4c/0x1a0
>> [   10.364068]  __rtnl_newlink+0x597/0xa10
>> [   10.364072]  ? __nla_reserve+0x41/0x50
>> [   10.364074]  ? __kmalloc_node_track_caller+0x1d0/0x4d0
>> [   10.364079]  ? pskb_expand_head+0x75/0x310
>> [   10.364082]  ? nla_reserve_64bit+0x21/0x40
>> [   10.364086]  ? skb_free_head+0x65/0x80
>> [   10.364089]  ? security_sock_rcv_skb+0x2c/0x50
>> [   10.364094]  ? __cond_resched+0x19/0x30
>> [   10.364097]  ? kmem_cache_alloc_trace+0x15a/0x420
>> [   10.364100]  rtnl_newlink+0x49/0x70
>>
>> This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
>> mapping warning.
>>
>> Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
>> Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
> 
> Thanks for addressing it, maybe a:
> 
> BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
> Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>
> 
> would be courteous.
> --
> Florian

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
index 96e5d39bb2600..c4d1072fbea39 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
@@ -269,6 +269,9 @@  static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan)
 	if (queue == 0 || queue == 4) {
 		value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK;
 		value |= MTL_RXQ_DMA_Q04MDMACH(chan);
+	} else if (queue > 4) {
+		value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4);
+		value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4);
 	} else {
 		value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue);
 		value |= MTL_RXQ_DMA_QXMDMACH(chan, queue);

[1/2] net: stmmac: fix dma queue left shift overflow issue

Checks

Commit Message

Comments

Patch