| Message ID | 20241029164317.50182-2-vladimir.oltean@nxp.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | a12fcef429e17cb3db47cde0692a185d3ca712a3 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | Fix sparse warnings in dpaa_eth driver | expand |
On Tue, Oct 29, 2024 at 06:43:15PM +0200, Vladimir Oltean wrote: > struct qm_sg_entry :: offset is a 13-bit field, declared as __be16. > > When using be32_to_cpu(), a wrong value will be calculated on little > endian systems (Arm), because type promotion from 16-bit to 32-bit, > which is done before the byte swap and always in the CPU native > endianness, changes the value of the scatter/gather list entry offset in > big-endian interpretation (adds two zero bytes in the LSB interpretation). > The result of the byte swap is ANDed with GENMASK(12, 0), so the result > is always zero, because only those bytes added by type promotion remain > after the application of the bit mask. > > The impact of the bug is that scatter/gather frames with a non-zero > offset into the buffer are treated by the driver as if they had a zero > offset. This is all in theory, because in practice, qm_sg_entry_get_off() > has a single caller, where the bug is inconsequential, because at that > call site the buffer offset will always be zero, as will be explained in > the subsequent change. > > Flagged by sparse: > > warning: cast to restricted __be32 > warning: cast from restricted __be16 > > Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Breno Leitao <leitao@debian.org>
Le 29/10/2024 à 17:43, Vladimir Oltean a écrit : > struct qm_sg_entry :: offset is a 13-bit field, declared as __be16. > > When using be32_to_cpu(), a wrong value will be calculated on little > endian systems (Arm), because type promotion from 16-bit to 32-bit, > which is done before the byte swap and always in the CPU native > endianness, changes the value of the scatter/gather list entry offset in > big-endian interpretation (adds two zero bytes in the LSB interpretation). > The result of the byte swap is ANDed with GENMASK(12, 0), so the result > is always zero, because only those bytes added by type promotion remain > after the application of the bit mask. > > The impact of the bug is that scatter/gather frames with a non-zero > offset into the buffer are treated by the driver as if they had a zero > offset. This is all in theory, because in practice, qm_sg_entry_get_off() > has a single caller, where the bug is inconsequential, because at that > call site the buffer offset will always be zero, as will be explained in > the subsequent change. > > Flagged by sparse: > > warning: cast to restricted __be32 > warning: cast from restricted __be16 > > Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Acked-by: Christophe Leroy <christophe.leroy@csgroup.eu> > --- > include/soc/fsl/qman.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/soc/fsl/qman.h b/include/soc/fsl/qman.h > index 0d3d6beb7fdb..7f7a4932d7f1 100644 > --- a/include/soc/fsl/qman.h > +++ b/include/soc/fsl/qman.h > @@ -242,7 +242,7 @@ static inline void qm_sg_entry_set_f(struct qm_sg_entry *sg, int len) > > static inline int qm_sg_entry_get_off(const struct qm_sg_entry *sg) > { > - return be32_to_cpu(sg->offset) & QM_SG_OFF_MASK; > + return be16_to_cpu(sg->offset) & QM_SG_OFF_MASK; > } > > /* "Frame Dequeue Response" */
diff --git a/include/soc/fsl/qman.h b/include/soc/fsl/qman.h index 0d3d6beb7fdb..7f7a4932d7f1 100644 --- a/include/soc/fsl/qman.h +++ b/include/soc/fsl/qman.h @@ -242,7 +242,7 @@ static inline void qm_sg_entry_set_f(struct qm_sg_entry *sg, int len) static inline int qm_sg_entry_get_off(const struct qm_sg_entry *sg) { - return be32_to_cpu(sg->offset) & QM_SG_OFF_MASK; + return be16_to_cpu(sg->offset) & QM_SG_OFF_MASK; } /* "Frame Dequeue Response" */
struct qm_sg_entry :: offset is a 13-bit field, declared as __be16. When using be32_to_cpu(), a wrong value will be calculated on little endian systems (Arm), because type promotion from 16-bit to 32-bit, which is done before the byte swap and always in the CPU native endianness, changes the value of the scatter/gather list entry offset in big-endian interpretation (adds two zero bytes in the LSB interpretation). The result of the byte swap is ANDed with GENMASK(12, 0), so the result is always zero, because only those bytes added by type promotion remain after the application of the bit mask. The impact of the bug is that scatter/gather frames with a non-zero offset into the buffer are treated by the driver as if they had a zero offset. This is all in theory, because in practice, qm_sg_entry_get_off() has a single caller, where the bug is inconsequential, because at that call site the buffer offset will always be zero, as will be explained in the subsequent change. Flagged by sparse: warning: cast to restricted __be32 warning: cast from restricted __be16 Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> --- include/soc/fsl/qman.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)