From: Peter Chen <peter.chen@nxp.com>
To: pawell@cadence.com, rogerq@ti.com
Cc: balbi@kernel.org, linux-usb@vger.kernel.org, linux-imx@nxp.com,
gregkh@linuxfoundation.org, jun.li@nxp.com,
Peter Chen <peter.chen@nxp.com>
Subject: [PATCH v2 1/3] usb: cdns3: gadget: suspicious implicit sign extension
Date: Thu, 22 Oct 2020 08:55:03 +0800 [thread overview]
Message-ID: <20201022005505.24167-2-peter.chen@nxp.com> (raw)
In-Reply-To: <20201022005505.24167-1-peter.chen@nxp.com>
The code:
trb->length = cpu_to_le32(TRB_BURST_LEN(priv_ep->trb_burst_size)
| TRB_LEN(length));
TRB_BURST_LEN(priv_ep->trb_burst_size) may be overflow for int 32 if
priv_ep->trb_burst_size is equal or larger than 0x80;
Below is the Coverity warning:
sign_extension: Suspicious implicit sign extension: priv_ep->trb_burst_size
with type u8 (8 bits, unsigned) is promoted in priv_ep->trb_burst_size << 24
to type int (32 bits, signed), then sign-extended to type unsigned long
(64 bits, unsigned). If priv_ep->trb_burst_size << 24 is greater than 0x7FFFFFFF,
the upper bits of the result will all be 1.
To fix it, it needs to add an explicit cast to unsigned int type for ((p) << 24).
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
---
Changes for v2:
- Move position of explicit cast to unsigned int before ((p) << 24) [Patch 1/3]
drivers/usb/cdns3/gadget.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/cdns3/gadget.h b/drivers/usb/cdns3/gadget.h
index 1ccecd237530..737377913788 100644
--- a/drivers/usb/cdns3/gadget.h
+++ b/drivers/usb/cdns3/gadget.h
@@ -1072,7 +1072,7 @@ struct cdns3_trb {
#define TRB_TDL_SS_SIZE_GET(p) (((p) & GENMASK(23, 17)) >> 17)
/* transfer_len bitmasks - bits 31:24 */
-#define TRB_BURST_LEN(p) (((p) << 24) & GENMASK(31, 24))
+#define TRB_BURST_LEN(p) ((unsigned int)((p) << 24) & GENMASK(31, 24))
#define TRB_BURST_LEN_GET(p) (((p) & GENMASK(31, 24)) >> 24)
/* Data buffer pointer bitmasks*/
--
2.17.1
next prev parent reply other threads:[~2020-10-22 0:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-22 0:55 [PATCH v2 0/3] usb: cdns3: three bug fixes for v5.10 Peter Chen
2020-10-22 0:55 ` Peter Chen [this message]
2020-10-22 0:55 ` [PATCH v2 2/3] usb: cdns3: gadget: own the lock wrongly at the suspend routine Peter Chen
2020-10-27 9:26 ` Felipe Balbi
2020-10-29 9:31 ` Peter Chen
2020-10-22 0:55 ` [PATCH v2 3/3] usb: cdns3: Fix on-chip memory overflow issue Peter Chen
2020-10-27 9:27 ` Felipe Balbi
2020-10-27 11:21 ` Pawel Laszczak
2020-10-28 9:07 ` [PATCH v2 0/3] usb: cdns3: three bug fixes for v5.10 Greg KH
2020-10-28 9:33 ` Peter Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201022005505.24167-2-peter.chen@nxp.com \
--to=peter.chen@nxp.com \
--cc=balbi@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jun.li@nxp.com \
--cc=linux-imx@nxp.com \
--cc=linux-usb@vger.kernel.org \
--cc=pawell@cadence.com \
--cc=rogerq@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.