| Message ID | 20210914082817.22311-2-harini.katakam@xilinx.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ZynqMP DMA fixes | expand |
Hi Harini, On Tue, 14 Sep 2021 13:58:14 +0530, Harini Katakam wrote: > From: Shravya Kumbham <shravya.kumbham@xilinx.com> > > In zynqmp_dma_alloc/free_chan_resources functions there is a > potential overflow in the below expressions. > > dma_alloc_coherent(chan->dev, (2 * chan->desc_size * > ZYNQMP_DMA_NUM_DESCS), > &chan->desc_pool_p, GFP_KERNEL); > > dma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) * > ZYNQMP_DMA_NUM_DESCS), > chan->desc_pool_v, chan->desc_pool_p); > > The arguments desc_size and ZYNQMP_DMA_NUM_DESCS are 32 bit. Though > this overflow condition is not observed but it is a potential problem > in the case of 32-bit multiplication. Hence fix it by using typecast. > > Addresses-Coverity: Event overflow_before_widen. > Signed-off-by: Shravya Kumbham <shravya.kumbham@xilinx.com> > Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com> Thanks for the patch. Your SoB is missing in this and the other patches of this series. > --- > drivers/dma/xilinx/zynqmp_dma.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c > index 5fecf5aa6e85..2d0eba25739d 100644 > --- a/drivers/dma/xilinx/zynqmp_dma.c > +++ b/drivers/dma/xilinx/zynqmp_dma.c > @@ -490,7 +490,8 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan) > } > > chan->desc_pool_v = dma_alloc_coherent(chan->dev, > - (2 * chan->desc_size * ZYNQMP_DMA_NUM_DESCS), > + ((size_t)(2 * chan->desc_size) * > + ZYNQMP_DMA_NUM_DESCS), Wouldn't it be easier to change the type of chan->desc_size to size_t? Maybe we could also just calculate the size of the descriptor pool during probe() to make the code more readable? I also noticed that there is the ZYNQMP_DMA_DESC_SIZE() macro, which is inconsistently used in the driver. Maybe you could cleanup this as well as you are at it? > &chan->desc_pool_p, GFP_KERNEL); > if (!chan->desc_pool_v) > return -ENOMEM; > @@ -677,7 +678,8 @@ static void zynqmp_dma_free_chan_resources(struct dma_chan *dchan) > zynqmp_dma_free_descriptors(chan); > spin_unlock_irqrestore(&chan->lock, irqflags); > dma_free_coherent(chan->dev, > - (2 * ZYNQMP_DMA_DESC_SIZE(chan) * ZYNQMP_DMA_NUM_DESCS), > + ((size_t)(2 * ZYNQMP_DMA_DESC_SIZE(chan)) * > + ZYNQMP_DMA_NUM_DESCS), With a pre-calculated descriptor pool size, recalculating the size here wouldn't be necessary anymore. Michael > chan->desc_pool_v, chan->desc_pool_p); > kfree(chan->sw_desc_pool); > pm_runtime_mark_last_busy(chan->dev); > -- > 2.17.1 > > > _______________________________________________ > linux-arm-kernel mailing list > linux-arm-kernel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-arm-kernel >
On 14-09-21, 13:58, Harini Katakam wrote: > From: Shravya Kumbham <shravya.kumbham@xilinx.com> > > In zynqmp_dma_alloc/free_chan_resources functions there is a > potential overflow in the below expressions. > > dma_alloc_coherent(chan->dev, (2 * chan->desc_size * > ZYNQMP_DMA_NUM_DESCS), > &chan->desc_pool_p, GFP_KERNEL); > > dma_free_coherent(chan->dev,(2 * ZYNQMP_DMA_DESC_SIZE(chan) * > ZYNQMP_DMA_NUM_DESCS), > chan->desc_pool_v, chan->desc_pool_p); > > The arguments desc_size and ZYNQMP_DMA_NUM_DESCS are 32 bit. Though > this overflow condition is not observed but it is a potential problem > in the case of 32-bit multiplication. Hence fix it by using typecast. > > Addresses-Coverity: Event overflow_before_widen. > Signed-off-by: Shravya Kumbham <shravya.kumbham@xilinx.com> Patch was sent by Harini Katakam <harini.katakam@xilinx.com> and SOB not available for person sending this patch, sorry cant accept it with s-o-b... > Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com> > --- > drivers/dma/xilinx/zynqmp_dma.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c > index 5fecf5aa6e85..2d0eba25739d 100644 > --- a/drivers/dma/xilinx/zynqmp_dma.c > +++ b/drivers/dma/xilinx/zynqmp_dma.c > @@ -490,7 +490,8 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan) > } > > chan->desc_pool_v = dma_alloc_coherent(chan->dev, > - (2 * chan->desc_size * ZYNQMP_DMA_NUM_DESCS), > + ((size_t)(2 * chan->desc_size) * > + ZYNQMP_DMA_NUM_DESCS), > &chan->desc_pool_p, GFP_KERNEL); > if (!chan->desc_pool_v) > return -ENOMEM; > @@ -677,7 +678,8 @@ static void zynqmp_dma_free_chan_resources(struct dma_chan *dchan) > zynqmp_dma_free_descriptors(chan); > spin_unlock_irqrestore(&chan->lock, irqflags); > dma_free_coherent(chan->dev, > - (2 * ZYNQMP_DMA_DESC_SIZE(chan) * ZYNQMP_DMA_NUM_DESCS), > + ((size_t)(2 * ZYNQMP_DMA_DESC_SIZE(chan)) * > + ZYNQMP_DMA_NUM_DESCS), > chan->desc_pool_v, chan->desc_pool_p); > kfree(chan->sw_desc_pool); > pm_runtime_mark_last_busy(chan->dev); > -- > 2.17.1
diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c index 5fecf5aa6e85..2d0eba25739d 100644 --- a/drivers/dma/xilinx/zynqmp_dma.c +++ b/drivers/dma/xilinx/zynqmp_dma.c @@ -490,7 +490,8 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan) } chan->desc_pool_v = dma_alloc_coherent(chan->dev, - (2 * chan->desc_size * ZYNQMP_DMA_NUM_DESCS), + ((size_t)(2 * chan->desc_size) * + ZYNQMP_DMA_NUM_DESCS), &chan->desc_pool_p, GFP_KERNEL); if (!chan->desc_pool_v) return -ENOMEM; @@ -677,7 +678,8 @@ static void zynqmp_dma_free_chan_resources(struct dma_chan *dchan) zynqmp_dma_free_descriptors(chan); spin_unlock_irqrestore(&chan->lock, irqflags); dma_free_coherent(chan->dev, - (2 * ZYNQMP_DMA_DESC_SIZE(chan) * ZYNQMP_DMA_NUM_DESCS), + ((size_t)(2 * ZYNQMP_DMA_DESC_SIZE(chan)) * + ZYNQMP_DMA_NUM_DESCS), chan->desc_pool_v, chan->desc_pool_p); kfree(chan->sw_desc_pool); pm_runtime_mark_last_busy(chan->dev);