diff mbox series

HID: amd_sfh: Increase bitwidth to avoid shift-out-of-bounds

Message ID 20230704081724.2308195-1-kai.heng.feng@canonical.com (mailing list archive)
State New, archived
Delegated to: Jiri Kosina
Headers show
Series HID: amd_sfh: Increase bitwidth to avoid shift-out-of-bounds | expand

Commit Message

Kai-Heng Feng July 4, 2023, 8:17 a.m. UTC 
UBSAN complains shift-out-of-bounds on amd_sfh:
[    7.593412] input: SYNA3105:00 06CB:CEA3 Mouse as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input11
[    7.593541] input: SYNA3105:00 06CB:CEA3 Touchpad as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input12
[    7.593625] hid-multitouch 0018:06CB:CEA3.0001: input,hidraw0: I2C HID v1.00 Mouse [SYNA3105:00 06CB:CEA3] on i2c-SYNA3105:00
[    7.664537] ================================================================================
[    7.664540] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
[    7.664544] shift exponent 103 is too large for 64-bit type 'long unsigned int'
[    7.664547] CPU: 5 PID: 124 Comm: kworker/5:1 Tainted: G        W          6.4.0-next-20230703 #1
[    7.664549] Hardware name: HP HP EliteBook 835 13 inch G10 Notebook PC/8C10, BIOS V83 Ver. 01.01.09 06/05/2023
[    7.664551] Workqueue: events amd_sfh_work_buffer [amd_sfh]
[    7.664562] Call Trace:
[    7.664564]  <TASK>
[    7.664567]  dump_stack_lvl+0x48/0x70
[    7.664576]  dump_stack+0x10/0x20
[    7.664578]  __ubsan_handle_shift_out_of_bounds+0x156/0x310
[    7.664584]  ? sched_clock_noinstr+0x9/0x10
[    7.664589]  ? sched_clock_cpu+0x12/0x1d0
[    7.664594]  ? raw_spin_rq_lock_nested+0x1e/0xa0
[    7.664597]  ? psi_group_change+0x237/0x520
[    7.664600]  float_to_int.cold+0x18/0xcf [amd_sfh]
[    7.664606]  ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]
[    7.664611]  get_input_rep+0x241/0x340 [amd_sfh]
[    7.664617]  amd_sfh_work_buffer+0x91/0x190 [amd_sfh]
[    7.664622]  process_one_work+0x229/0x450
[    7.664627]  worker_thread+0x50/0x3f0
[    7.664629]  ? __pfx_worker_thread+0x10/0x10
[    7.664632]  kthread+0xf4/0x130
[    7.664635]  ? __pfx_kthread+0x10/0x10
[    7.664638]  ret_from_fork+0x29/0x50
[    7.664644]  </TASK>
[    7.664652] ================================================================================

So increase the variable bitwidth to solve the issue.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
---
 drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Basavaraj Natikar July 7, 2023, 7:36 a.m. UTC | #1 
On 7/4/2023 1:47 PM, Kai-Heng Feng wrote:
> UBSAN complains shift-out-of-bounds on amd_sfh:
> [    7.593412] input: SYNA3105:00 06CB:CEA3 Mouse as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input11
> [    7.593541] input: SYNA3105:00 06CB:CEA3 Touchpad as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input12
> [    7.593625] hid-multitouch 0018:06CB:CEA3.0001: input,hidraw0: I2C HID v1.00 Mouse [SYNA3105:00 06CB:CEA3] on i2c-SYNA3105:00
> [    7.664537] ================================================================================
> [    7.664540] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
> [    7.664544] shift exponent 103 is too large for 64-bit type 'long unsigned int'
> [    7.664547] CPU: 5 PID: 124 Comm: kworker/5:1 Tainted: G        W          6.4.0-next-20230703 #1
> [    7.664549] Hardware name: HP HP EliteBook 835 13 inch G10 Notebook PC/8C10, BIOS V83 Ver. 01.01.09 06/05/2023
> [    7.664551] Workqueue: events amd_sfh_work_buffer [amd_sfh]
> [    7.664562] Call Trace:
> [    7.664564]  <TASK>
> [    7.664567]  dump_stack_lvl+0x48/0x70
> [    7.664576]  dump_stack+0x10/0x20
> [    7.664578]  __ubsan_handle_shift_out_of_bounds+0x156/0x310
> [    7.664584]  ? sched_clock_noinstr+0x9/0x10
> [    7.664589]  ? sched_clock_cpu+0x12/0x1d0
> [    7.664594]  ? raw_spin_rq_lock_nested+0x1e/0xa0
> [    7.664597]  ? psi_group_change+0x237/0x520
> [    7.664600]  float_to_int.cold+0x18/0xcf [amd_sfh]
> [    7.664606]  ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]
> [    7.664611]  get_input_rep+0x241/0x340 [amd_sfh]
> [    7.664617]  amd_sfh_work_buffer+0x91/0x190 [amd_sfh]
> [    7.664622]  process_one_work+0x229/0x450
> [    7.664627]  worker_thread+0x50/0x3f0
> [    7.664629]  ? __pfx_worker_thread+0x10/0x10
> [    7.664632]  kthread+0xf4/0x130
> [    7.664635]  ? __pfx_kthread+0x10/0x10
> [    7.664638]  ret_from_fork+0x29/0x50
> [    7.664644]  </TASK>
> [    7.664652] ================================================================================
>
> So increase the variable bitwidth to solve the issue.
>
> Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
> ---
>  drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> index 6f0d332ccf51..550639ef8bfe 100644
> --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> @@ -134,7 +134,8 @@ static void get_common_inputs(struct common_input_property *common, int report_i
>  
>  static int float_to_int(u32 float32)
>  {
> -	int fraction, shift, mantissa, sign, exp, zeropre;
> +	int fraction, shift, sign, exp, zeropre;
> +	s128 mantissa;
>  
>  	mantissa = float32 & GENMASK(22, 0);
>  	sign = (float32 & BIT(31)) ? -1 : 1;

Could you please check below patch which covers more scenario's and corner cases
for UBSAN: shift-out-of-bounds.
https://lore.kernel.org/all/20230707065722.9036-1-Basavaraj.Natikar@amd.com/T/#m67e0b7aa6a288ea074b3bfa61e7f085f7e036172

Thanks,
--
Basavaraj
Kai-Heng Feng July 10, 2023, 5:15 a.m. UTC | #2 
Hi Basavaraj,

On Fri, Jul 7, 2023 at 3:36 PM Basavaraj Natikar <bnatikar@amd.com> wrote:
>
>
> On 7/4/2023 1:47 PM, Kai-Heng Feng wrote:
> > UBSAN complains shift-out-of-bounds on amd_sfh:
> > [    7.593412] input: SYNA3105:00 06CB:CEA3 Mouse as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input11
> > [    7.593541] input: SYNA3105:00 06CB:CEA3 Touchpad as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input12
> > [    7.593625] hid-multitouch 0018:06CB:CEA3.0001: input,hidraw0: I2C HID v1.00 Mouse [SYNA3105:00 06CB:CEA3] on i2c-SYNA3105:00
> > [    7.664537] ================================================================================
> > [    7.664540] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
> > [    7.664544] shift exponent 103 is too large for 64-bit type 'long unsigned int'
> > [    7.664547] CPU: 5 PID: 124 Comm: kworker/5:1 Tainted: G        W          6.4.0-next-20230703 #1
> > [    7.664549] Hardware name: HP HP EliteBook 835 13 inch G10 Notebook PC/8C10, BIOS V83 Ver. 01.01.09 06/05/2023
> > [    7.664551] Workqueue: events amd_sfh_work_buffer [amd_sfh]
> > [    7.664562] Call Trace:
> > [    7.664564]  <TASK>
> > [    7.664567]  dump_stack_lvl+0x48/0x70
> > [    7.664576]  dump_stack+0x10/0x20
> > [    7.664578]  __ubsan_handle_shift_out_of_bounds+0x156/0x310
> > [    7.664584]  ? sched_clock_noinstr+0x9/0x10
> > [    7.664589]  ? sched_clock_cpu+0x12/0x1d0
> > [    7.664594]  ? raw_spin_rq_lock_nested+0x1e/0xa0
> > [    7.664597]  ? psi_group_change+0x237/0x520
> > [    7.664600]  float_to_int.cold+0x18/0xcf [amd_sfh]
> > [    7.664606]  ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]
> > [    7.664611]  get_input_rep+0x241/0x340 [amd_sfh]
> > [    7.664617]  amd_sfh_work_buffer+0x91/0x190 [amd_sfh]
> > [    7.664622]  process_one_work+0x229/0x450
> > [    7.664627]  worker_thread+0x50/0x3f0
> > [    7.664629]  ? __pfx_worker_thread+0x10/0x10
> > [    7.664632]  kthread+0xf4/0x130
> > [    7.664635]  ? __pfx_kthread+0x10/0x10
> > [    7.664638]  ret_from_fork+0x29/0x50
> > [    7.664644]  </TASK>
> > [    7.664652] ================================================================================
> >
> > So increase the variable bitwidth to solve the issue.
> >
> > Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
> > ---
> >  drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> > index 6f0d332ccf51..550639ef8bfe 100644
> > --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> > +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> > @@ -134,7 +134,8 @@ static void get_common_inputs(struct common_input_property *common, int report_i
> >
> >  static int float_to_int(u32 float32)
> >  {
> > -     int fraction, shift, mantissa, sign, exp, zeropre;
> > +     int fraction, shift, sign, exp, zeropre;
> > +     s128 mantissa;
> >
> >       mantissa = float32 & GENMASK(22, 0);
> >       sign = (float32 & BIT(31)) ? -1 : 1;
>
> Could you please check below patch which covers more scenario's and corner cases
> for UBSAN: shift-out-of-bounds.
> https://lore.kernel.org/all/20230707065722.9036-1-Basavaraj.Natikar@amd.com/T/#m67e0b7aa6a288ea074b3bfa61e7f085f7e036172

Thanks for the patch. Please add my tag:
Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>

>
> Thanks,
> --
> Basavaraj
>
Benjamin Tissoires July 10, 2023, 7:55 a.m. UTC | #3 
On Jul 10 2023, Kai-Heng Feng wrote:
> Hi Basavaraj,
> 
> On Fri, Jul 7, 2023 at 3:36 PM Basavaraj Natikar <bnatikar@amd.com> wrote:
> >
> >
> > On 7/4/2023 1:47 PM, Kai-Heng Feng wrote:
> > > UBSAN complains shift-out-of-bounds on amd_sfh:
> > > [    7.593412] input: SYNA3105:00 06CB:CEA3 Mouse as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input11
> > > [    7.593541] input: SYNA3105:00 06CB:CEA3 Touchpad as /devices/platform/AMDI0010:00/i2c-0/i2c-SYNA3105:00/0018:06CB:CEA3.0001/input/input12
> > > [    7.593625] hid-multitouch 0018:06CB:CEA3.0001: input,hidraw0: I2C HID v1.00 Mouse [SYNA3105:00 06CB:CEA3] on i2c-SYNA3105:00
> > > [    7.664537] ================================================================================
> > > [    7.664540] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50
> > > [    7.664544] shift exponent 103 is too large for 64-bit type 'long unsigned int'
> > > [    7.664547] CPU: 5 PID: 124 Comm: kworker/5:1 Tainted: G        W          6.4.0-next-20230703 #1
> > > [    7.664549] Hardware name: HP HP EliteBook 835 13 inch G10 Notebook PC/8C10, BIOS V83 Ver. 01.01.09 06/05/2023
> > > [    7.664551] Workqueue: events amd_sfh_work_buffer [amd_sfh]
> > > [    7.664562] Call Trace:
> > > [    7.664564]  <TASK>
> > > [    7.664567]  dump_stack_lvl+0x48/0x70
> > > [    7.664576]  dump_stack+0x10/0x20
> > > [    7.664578]  __ubsan_handle_shift_out_of_bounds+0x156/0x310
> > > [    7.664584]  ? sched_clock_noinstr+0x9/0x10
> > > [    7.664589]  ? sched_clock_cpu+0x12/0x1d0
> > > [    7.664594]  ? raw_spin_rq_lock_nested+0x1e/0xa0
> > > [    7.664597]  ? psi_group_change+0x237/0x520
> > > [    7.664600]  float_to_int.cold+0x18/0xcf [amd_sfh]
> > > [    7.664606]  ? __pfx_get_input_rep+0x10/0x10 [amd_sfh]
> > > [    7.664611]  get_input_rep+0x241/0x340 [amd_sfh]
> > > [    7.664617]  amd_sfh_work_buffer+0x91/0x190 [amd_sfh]
> > > [    7.664622]  process_one_work+0x229/0x450
> > > [    7.664627]  worker_thread+0x50/0x3f0
> > > [    7.664629]  ? __pfx_worker_thread+0x10/0x10
> > > [    7.664632]  kthread+0xf4/0x130
> > > [    7.664635]  ? __pfx_kthread+0x10/0x10
> > > [    7.664638]  ret_from_fork+0x29/0x50
> > > [    7.664644]  </TASK>
> > > [    7.664652] ================================================================================
> > >
> > > So increase the variable bitwidth to solve the issue.
> > >
> > > Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
> > > ---
> > >  drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> > > index 6f0d332ccf51..550639ef8bfe 100644
> > > --- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> > > +++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
> > > @@ -134,7 +134,8 @@ static void get_common_inputs(struct common_input_property *common, int report_i
> > >
> > >  static int float_to_int(u32 float32)
> > >  {
> > > -     int fraction, shift, mantissa, sign, exp, zeropre;
> > > +     int fraction, shift, sign, exp, zeropre;
> > > +     s128 mantissa;
> > >
> > >       mantissa = float32 & GENMASK(22, 0);
> > >       sign = (float32 & BIT(31)) ? -1 : 1;
> >
> > Could you please check below patch which covers more scenario's and corner cases
> > for UBSAN: shift-out-of-bounds.
> > https://lore.kernel.org/all/20230707065722.9036-1-Basavaraj.Natikar@amd.com/T/#m67e0b7aa6a288ea074b3bfa61e7f085f7e036172
> 
> Thanks for the patch. Please add my tag:
> Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>

Thanks. I'll add the tags to Basavaraj's series and push it to Linus
ASAP.

Cheers,
Benjamin

> 
> >
> > Thanks,
> > --
> > Basavaraj
> >
diff mbox series

Patch

diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
index 6f0d332ccf51..550639ef8bfe 100644
--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
+++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c
@@ -134,7 +134,8 @@  static void get_common_inputs(struct common_input_property *common, int report_i
 
 static int float_to_int(u32 float32)
 {
-	int fraction, shift, mantissa, sign, exp, zeropre;
+	int fraction, shift, sign, exp, zeropre;
+	s128 mantissa;
 
 	mantissa = float32 & GENMASK(22, 0);
 	sign = (float32 & BIT(31)) ? -1 : 1;