[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZXcssPaaDtqADKp6@FVFF77S0Q05N.cambridge.arm.com>
Date: Mon, 11 Dec 2023 15:37:20 +0000
From: Mark Rutland <mark.rutland@....com>
To: Robin Murphy <robin.murphy@....com>
Cc: Will Deacon <will@...nel.org>, Joerg Roedel <joro@...tes.org>,
Christoph Hellwig <hch@....de>,
Vineet Gupta <vgupta@...nel.org>,
Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>,
Huacai Chen <chenhuacai@...nel.org>,
WANG Xuerui <kernel@...0n.name>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
Lorenzo Pieralisi <lpieralisi@...nel.org>,
Hanjun Guo <guohanjun@...wei.com>,
Sudeep Holla <sudeep.holla@....com>,
"K. Y. Srinivasan" <kys@...rosoft.com>,
Haiyang Zhang <haiyangz@...rosoft.com>,
Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@....com>,
David Woodhouse <dwmw2@...radead.org>,
Lu Baolu <baolu.lu@...ux.intel.com>,
Niklas Schnelle <schnelle@...ux.ibm.com>,
Matthew Rosato <mjrosato@...ux.ibm.com>,
Gerald Schaefer <gerald.schaefer@...ux.ibm.com>,
Jean-Philippe Brucker <jean-philippe@...aro.org>,
Rob Herring <robh+dt@...nel.org>,
Frank Rowand <frowand.list@...il.com>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Jason Gunthorpe <jgg@...pe.ca>, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, linux-acpi@...r.kernel.org,
iommu@...ts.linux.dev, devicetree@...r.kernel.org
Subject: Re: [PATCH 3/7] ACPI/IORT: Handle memory address size limits as
limits
On Mon, Dec 11, 2023 at 03:01:27PM +0000, Robin Murphy wrote:
> On 2023-12-11 1:27 pm, Will Deacon wrote:
> > On Wed, Nov 29, 2023 at 05:43:00PM +0000, Robin Murphy wrote:
> > > Return the Root Complex/Named Component memory address size limit as an
> > > inclusive limit value, rather than an exclusive size. This saves us
> > > having to special-case 64-bit overflow, and simplifies our caller too.
> > >
> > > Signed-off-by: Robin Murphy <robin.murphy@....com>
> > > ---
> > > drivers/acpi/arm64/dma.c | 9 +++------
> > > drivers/acpi/arm64/iort.c | 18 ++++++++----------
> > > include/linux/acpi_iort.h | 4 ++--
> > > 3 files changed, 13 insertions(+), 18 deletions(-)
> >
> > [...]
> >
> > > diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c
> > > index 6496ff5a6ba2..eb64d8e17dd1 100644
> > > --- a/drivers/acpi/arm64/iort.c
> > > +++ b/drivers/acpi/arm64/iort.c
> > > @@ -1367,7 +1367,7 @@ int iort_iommu_configure_id(struct device *dev, const u32 *input_id)
> > > { return -ENODEV; }
> > > #endif
> > > -static int nc_dma_get_range(struct device *dev, u64 *size)
> > > +static int nc_dma_get_range(struct device *dev, u64 *limit)
> > > {
> > > struct acpi_iort_node *node;
> > > struct acpi_iort_named_component *ncomp;
> > > @@ -1384,13 +1384,12 @@ static int nc_dma_get_range(struct device *dev, u64 *size)
> > > return -EINVAL;
> > > }
> > > - *size = ncomp->memory_address_limit >= 64 ? U64_MAX :
> > > - 1ULL<<ncomp->memory_address_limit;
> > > + *limit = (1ULL << ncomp->memory_address_limit) - 1;
> >
> > The old code handled 'ncomp->memory_address_limit >= 64' -- why is it safe
> > to drop that? You mention it in the cover letter, so clearly I'm missing
> > something!
>
> Because an unsigned shift by 64 or more generates 0 (modulo 2^64),
I'm pretty sure that regardless of whether a type is signed, shifting more than
the type's width is undefined behaviour. That causes GCC to scream at compile
time:
| CC arch/arm64/kernel/setup.o
| arch/arm64/kernel/setup.c: In function 'shift_test':
| arch/arm64/kernel/setup.c:295:20: warning: left shift count >= width of type [-Wshift-count-overflow]
| 295 | return 1UL << 64;
| | ^~
... and a UBSAN splat:
| ================================================================================
| UBSAN: shift-out-of-bounds in arch/arm64/kernel/setup.c:295:13
| shift exponent 64 is too large for 64-bit type 'long unsigned int'
| CPU: 0 PID: 0 Comm: swapper Not tainted 6.7.0-rc1-00005-g06034455cb74-dirty #3
| Call trace:
| dump_backtrace+0x90/0xe8
| show_stack+0x18/0x24
| dump_stack_lvl+0x48/0x60
| dump_stack+0x18/0x24
| __ubsan_handle_shift_out_of_bounds+0x114/0x244
| shift_test+0x24/0x34
| setup_arch+0x238/0x68c
| start_kernel+0x70/0x610
| __primary_switched+0xbc/0xc4
| ================================================================================
Mark.
> thus
> subtracting 1 results in the correct all-bits-set value for an inclusive
> 64-bit limit.
>
> Thanks,
> Robin.
>
> > > return 0;
> > > }
> > > -static int rc_dma_get_range(struct device *dev, u64 *size)
> > > +static int rc_dma_get_range(struct device *dev, u64 *limit)
> > > {
> > > struct acpi_iort_node *node;
> > > struct acpi_iort_root_complex *rc;
> > > @@ -1408,8 +1407,7 @@ static int rc_dma_get_range(struct device *dev, u64 *size)
> > > return -EINVAL;
> > > }
> > > - *size = rc->memory_address_limit >= 64 ? U64_MAX :
> > > - 1ULL<<rc->memory_address_limit;
> > > + *limit = (1ULL << rc->memory_address_limit) - 1;
> >
> > Same thing here.
> >
> > Will
Powered by blists - more mailing lists