From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Cedric Wassenaar <cedric@bytespeed.nl>,
Junxiao Chang <junxiao.chang@intel.com>,
Florian Fainelli <f.fainelli@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 15/62] net: stmmac: fix dma queue left shift overflow issue
Date: Wed, 27 Jul 2022 18:10:24 +0200 [thread overview]
Message-ID: <20220727161004.781641985@linuxfoundation.org> (raw)
In-Reply-To: <20220727161004.175638564@linuxfoundation.org>
From: Junxiao Chang <junxiao.chang@intel.com>
[ Upstream commit 613b065ca32e90209024ec4a6bb5ca887ee70980 ]
When queue number is > 4, left shift overflows due to 32 bits
integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1.
If CONFIG_UBSAN is enabled, kernel dumps below warning:
[ 10.363842] ==================================================================
[ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/
linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12
[ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int'
[ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg
[ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021
[ 10.363958] Call Trace:
[ 10.363960] <TASK>
[ 10.363963] dump_stack_lvl+0x4a/0x5f
[ 10.363971] dump_stack+0x10/0x12
[ 10.363974] ubsan_epilogue+0x9/0x45
[ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e
[ 10.363979] ? wake_up_klogd+0x4a/0x50
[ 10.363983] ? vprintk_emit+0x8f/0x240
[ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac]
[ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac]
[ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac]
[ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac]
[ 10.364030] ? page_pool_alloc_pages+0x4d/0x70
[ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac]
[ 10.364042] stmmac_open+0x39e/0x920 [stmmac]
[ 10.364050] __dev_open+0xf0/0x1a0
[ 10.364054] __dev_change_flags+0x188/0x1f0
[ 10.364057] dev_change_flags+0x26/0x60
[ 10.364059] do_setlink+0x908/0xc40
[ 10.364062] ? do_setlink+0xb10/0xc40
[ 10.364064] ? __nla_validate_parse+0x4c/0x1a0
[ 10.364068] __rtnl_newlink+0x597/0xa10
[ 10.364072] ? __nla_reserve+0x41/0x50
[ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0
[ 10.364079] ? pskb_expand_head+0x75/0x310
[ 10.364082] ? nla_reserve_64bit+0x21/0x40
[ 10.364086] ? skb_free_head+0x65/0x80
[ 10.364089] ? security_sock_rcv_skb+0x2c/0x50
[ 10.364094] ? __cond_resched+0x19/0x30
[ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420
[ 10.364100] rtnl_newlink+0x49/0x70
This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue
mapping warning.
Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel")
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195
Reported-by: Cedric Wassenaar <cedric@bytespeed.nl>
Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
index bc8871e7351f..00b6af0b2f3a 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
@@ -222,6 +222,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan)
if (queue == 0 || queue == 4) {
value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK;
value |= MTL_RXQ_DMA_Q04MDMACH(chan);
+ } else if (queue > 4) {
+ value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4);
+ value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4);
} else {
value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue);
value |= MTL_RXQ_DMA_QXMDMACH(chan, queue);
--
2.35.1
next prev parent reply other threads:[~2022-07-27 16:32 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 16:10 [PATCH 4.19 00/62] 4.19.254-rc1 review Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 01/62] riscv: add as-options for modules with assembly compontents Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 02/62] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 03/62] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 04/62] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 05/62] pinctrl: ralink: Check for null return of devm_kcalloc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 06/62] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 07/62] ip: Fix data-races around sysctl_ip_fwd_use_pmtu Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 08/62] ip: Fix data-races around sysctl_ip_nonlocal_bind Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 09/62] ip: Fix a data-race around sysctl_fwmark_reflect Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 10/62] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 11/62] tcp: Fix data-races around sysctl_tcp_mtu_probing Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 12/62] tcp: Fix a data-race around sysctl_tcp_probe_threshold Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 13/62] tcp: Fix a data-race around sysctl_tcp_probe_interval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 14/62] i2c: cadence: Change large transfer count reset logic to be unconditional Greg Kroah-Hartman
2022-07-27 16:10 ` Greg Kroah-Hartman [this message]
2022-07-27 16:10 ` [PATCH 4.19 16/62] net/tls: Fix race in TLS device down flow Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 17/62] igmp: Fix data-races around sysctl_igmp_llm_reports Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 18/62] igmp: Fix a data-race around sysctl_igmp_max_memberships Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 19/62] tcp: Fix data-races around sysctl_tcp_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 20/62] tcp: Fix data-races around some timeout sysctl knobs Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 21/62] tcp: Fix a data-race around sysctl_tcp_notsent_lowat Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 22/62] tcp: Fix a data-race around sysctl_tcp_tw_reuse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 23/62] tcp: Fix data-races around sysctl_tcp_fastopen Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 24/62] be2net: Fix buffer overflow in be_get_module_eeprom Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 25/62] tcp: Fix a data-race around sysctl_tcp_early_retrans Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 26/62] tcp: Fix data-races around sysctl_tcp_recovery Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 27/62] tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 28/62] tcp: Fix data-races around sysctl_tcp_slow_start_after_idle Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 29/62] tcp: Fix a data-race around sysctl_tcp_retrans_collapse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 30/62] tcp: Fix a data-race around sysctl_tcp_stdurg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 31/62] tcp: Fix a data-race around sysctl_tcp_rfc1337 Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 32/62] tcp: Fix data-races around sysctl_tcp_max_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 33/62] Revert "Revert "char/random: silence a lockdep splat with printk()"" Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 34/62] mm/mempolicy: fix uninit-value in mpol_rebind_policy() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 35/62] bpf: Make sure mac_header was set before using it Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 36/62] drm/tilcdc: Remove obsolete crtc_mode_valid() hack Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 37/62] tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 38/62] HID: multitouch: simplify the application retrieval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 39/62] HID: multitouch: Lenovo X1 Tablet Gen3 trackpoint and buttons Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 40/62] HID: multitouch: add support for the Smart Tech panel Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 41/62] HID: add ALWAYS_POLL quirk to lenovo pixart mouse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 42/62] dlm: fix pending remove if msg allocation fails Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 43/62] ima: remove the IMA_TEMPLATE Kconfig option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 44/62] ALSA: memalloc: Align buffer allocations in page size Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 45/62] Bluetooth: Add bt_skb_sendmsg helper Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 46/62] Bluetooth: Add bt_skb_sendmmsg helper Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 47/62] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 48/62] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 49/62] Bluetooth: Fix passing NULL to PTR_ERR Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 4.19 50/62] Bluetooth: SCO: Fix sco_send_frame returning skb->len Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 51/62] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 52/62] serial: mvebu-uart: correctly report configured baudrate value Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 53/62] tty: drivers/tty/, stop using tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 54/62] tty: the rest, " Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 55/62] tty: drop tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 56/62] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 57/62] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 58/62] net: usb: ax88179_178a needs FLAG_SEND_ZLP Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 59/62] PCI: hv: Fix multi-MSI to allow more than one MSI vector Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 60/62] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 61/62] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 4.19 62/62] PCI: hv: Fix interrupt mapping for multi-MSI Greg Kroah-Hartman
2022-07-28 9:42 ` [PATCH 4.19 00/62] 4.19.254-rc1 review Pavel Machek
2022-07-28 9:45 ` Naresh Kamboju
2022-07-28 14:31 ` Sudip Mukherjee (Codethink)
2022-07-28 14:51 ` Shuah Khan
2022-07-28 22:58 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727161004.781641985@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cedric@bytespeed.nl \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=junxiao.chang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox