From mboxrd@z Thu Jan 1 00:00:00 1970 From: joe@perches.com (Joe Perches) Date: Thu, 29 Sep 2016 11:06:32 -0700 Subject: [PATCH] dmaengine: coh901318: fix integer overflow when shifting more than 32 places In-Reply-To: <20160929175725.14157-1-colin.king@canonical.com> References: <20160929175725.14157-1-colin.king@canonical.com> Message-ID: <1475172392.2027.12.camel@perches.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Thu, 2016-09-29 at 18:57 +0100, Colin King wrote: > Currently U300_DMA_CHANNELS is set to 40, meaning that the shift of 1 can > be more than 32 places, which leads to a 32 bit integer overflow. Fix this > by casting 1 to a u64 (the same type as started_channels) before shifting > it. trivia: > diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c [] > @@ -1353,7 +1353,7 @@ static ssize_t coh901318_debugfs_read(struct file *file, char __user *buf, > ? tmp += sprintf(tmp, "DMA -- enabled dma channels\n"); > ? > ? for (i = 0; i < U300_DMA_CHANNELS; i++) > - if (started_channels & (1 << i)) > + if (started_channels & ((u64)1 << i)) Using if (started_channels & (1ULL << i)) would be more common. It's also how started_channel bits are set and cleared later in the file. And maybe the for loop should use braces. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934688AbcI2SGq (ORCPT ); Thu, 29 Sep 2016 14:06:46 -0400 Received: from smtprelay0029.hostedemail.com ([216.40.44.29]:40103 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934406AbcI2SGj (ORCPT ); Thu, 29 Sep 2016 14:06:39 -0400 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::::::::,RULES_HIT:41:355:379:541:599:960:973:988:989:1260:1277:1311:1313:1314:1345:1359:1373:1437:1515:1516:1518:1534:1540:1593:1594:1711:1730:1747:1777:1792:2393:2559:2562:2828:3138:3139:3140:3141:3142:3352:3622:3865:3866:3867:3868:3870:3871:3872:3874:4321:5007:6119:7875:7903:10004:10400:10848:11232:11473:11658:11914:12048:12296:12438:12555:12740:13069:13255:13311:13357:13439:13894:14659:14721:21080:30051:30054:30064:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:1,LUA_SUMMARY:none X-HE-Tag: flame28_396d9484a2212 X-Filterd-Recvd-Size: 1812 Message-ID: <1475172392.2027.12.camel@perches.com> Subject: Re: [PATCH] dmaengine: coh901318: fix integer overflow when shifting more than 32 places From: Joe Perches To: Colin King , Linus Walleij , Dan Williams , Vinod Koul , linux-arm-kernel@lists.infradead.org, dmaengine@vger.kernel.org Cc: linux-kernel@vger.kernel.org Date: Thu, 29 Sep 2016 11:06:32 -0700 In-Reply-To: <20160929175725.14157-1-colin.king@canonical.com> References: <20160929175725.14157-1-colin.king@canonical.com> Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: Evolution 3.21.91-1ubuntu1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2016-09-29 at 18:57 +0100, Colin King wrote: > Currently U300_DMA_CHANNELS is set to 40, meaning that the shift of 1 can > be more than 32 places, which leads to a 32 bit integer overflow. Fix this > by casting 1 to a u64 (the same type as started_channels) before shifting > it. trivia: > diff --git a/drivers/dma/coh901318.c b/drivers/dma/coh901318.c [] > @@ -1353,7 +1353,7 @@ static ssize_t coh901318_debugfs_read(struct file *file, char __user *buf, >   tmp += sprintf(tmp, "DMA -- enabled dma channels\n"); >   >   for (i = 0; i < U300_DMA_CHANNELS; i++) > - if (started_channels & (1 << i)) > + if (started_channels & ((u64)1 << i)) Using if (started_channels & (1ULL << i)) would be more common. It's also how started_channel bits are set and cleared later in the file. And maybe the for loop should use braces.