[PATCH] hw/dma/omap_dma.c: Use 64 bit maths for omap_dma_transfer_setup

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Jim MacArthur <jim.macarthur@linaro.org>
To: qemu-devel@nongnu.org
Cc: Jim MacArthur <jim.macarthur@linaro.org>
Subject: [PATCH] hw/dma/omap_dma.c: Use 64 bit maths for omap_dma_transfer_setup
Date: Thu,  4 Dec 2025 19:33:11 +0000	[thread overview]
Message-ID: <20251204193311.1281133-1-jim.macarthur@linaro.org> (raw)

If both frame and element count are 65535, which appears valid from my
reading of the OMAP5912 documentation, then some of the calculations
will overflow the 32-bit signed integer range and produce a negative
min_elems value.

Raised by #3204 (https://gitlab.com/qemu-project/qemu/-/issues/3204).

Signed-off-by: Jim MacArthur <jim.macarthur@linaro.org>
---
 hw/dma/omap_dma.c | 32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/hw/dma/omap_dma.c b/hw/dma/omap_dma.c
index 101f91f4a3..93e6503ff9 100644
--- a/hw/dma/omap_dma.c
+++ b/hw/dma/omap_dma.c
@@ -504,9 +504,19 @@ static void omap_dma_transfer_setup(struct soc_dma_ch_s *dma)
     struct omap_dma_channel_s *ch = dma->opaque;
     struct omap_dma_s *s = dma->dma->opaque;
     int frames, min_elems, elements[__omap_dma_intr_last];
+    uint64_t frames64, frame64, elements64, element64;
 
     a = &ch->active_set;
 
+    /*
+     * We do maths with the frame and element fields which exceeds
+     * a signed 32-bit integer, so convert all these to 64 bit for future use.
+     */
+    frames64 = a->frames;
+    frame64 = a->frame;
+    elements64 = a->elements;
+    element64 = a->element;
+
     src_p = &s->mpu->port[ch->port[0]];
     dest_p = &s->mpu->port[ch->port[1]];
     if ((!ch->constant_fill && !src_p->addr_valid(s->mpu, a->src)) ||
@@ -527,7 +537,7 @@ static void omap_dma_transfer_setup(struct soc_dma_ch_s *dma)
     /* Check all the conditions that terminate the transfer starting
      * with those that can occur the soonest.  */
 #define INTR_CHECK(cond, id, nelements) \
-    if (cond) {         \
+    if (cond && nelements <= INT_MAX) {         \
         elements[id] = nelements;   \
         if (elements[id] < min_elems)   \
             min_elems = elements[id];   \
@@ -547,24 +557,24 @@ static void omap_dma_transfer_setup(struct soc_dma_ch_s *dma)
      * See also the TODO in omap_dma_channel_load.  */
     INTR_CHECK(
                     (ch->interrupts & LAST_FRAME_INTR) &&
-                    ((a->frame < a->frames - 1) || !a->element),
+                    ((frame64 < frames64 - 1) || !element64),
                     omap_dma_intr_last_frame,
-                    (a->frames - a->frame - 2) * a->elements +
-                    (a->elements - a->element + 1))
+                    (frames64 - frame64 - 2) * elements64 +
+                    (elements64 - element64 + 1))
     INTR_CHECK(
                     ch->interrupts & HALF_FRAME_INTR,
                     omap_dma_intr_half_frame,
-                    (a->elements >> 1) +
-                    (a->element >= (a->elements >> 1) ? a->elements : 0) -
-                    a->element)
+                    (elements64 >> 1) +
+                    (element64 >= (elements64 >> 1) ? elements64 : 0) -
+                    element64)
     INTR_CHECK(
                     ch->sync && ch->fs && (ch->interrupts & END_FRAME_INTR),
                     omap_dma_intr_frame,
-                    a->elements - a->element)
+                    elements64 - element64)
     INTR_CHECK(
                     ch->sync && ch->fs && !ch->bs,
                     omap_dma_intr_frame_sync,
-                    a->elements - a->element)
+                    elements64 - element64)
 
     /* Packets */
     INTR_CHECK(
@@ -581,8 +591,8 @@ static void omap_dma_transfer_setup(struct soc_dma_ch_s *dma)
     INTR_CHECK(
                     1,
                     omap_dma_intr_block,
-                    (a->frames - a->frame - 1) * a->elements +
-                    (a->elements - a->element))
+                    (frames64 - frame64 - 1) * elements64 +
+                    (elements64 - element64))
 
     dma->bytes = min_elems * ch->data_type;
 
-- 
2.43.0

next             reply	other threads:[~2025-12-04 19:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-04 19:33 Jim MacArthur [this message]
2025-12-04 21:33 ` [PATCH] hw/dma/omap_dma.c: Use 64 bit maths for omap_dma_transfer_setup Alex Bennée
2025-12-05 15:57   ` Philippe Mathieu-Daudé
2025-12-05 16:10     ` Jim MacArthur
2025-12-05 16:20       ` Peter Maydell
2025-12-05 16:36         ` Jim MacArthur
2025-12-05 10:33 ` Peter Maydell
2025-12-05 15:10   ` Jim MacArthur

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:101f91f4a dfblob:93e6503ff )
 OR (
bs:"[PATCH] hw/dma/omap_dma.c: Use 64 bit maths for omap_dma_transfer_setup" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251204193311.1281133-1-jim.macarthur@linaro.org \
    --to=jim.macarthur@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).