From patchwork Wed Sep 4 16:03:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 172936 Delivered-To: patch@linaro.org Received: by 2002:a05:6e02:ce:0:0:0:0 with SMTP id r14csp124234ilq; Wed, 4 Sep 2019 09:03:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqyg8uclm8HPHaqyXgWH83flP5UrEZ37TNq7yKPyiZYLFjPYqMYs0CRBb2nNqWcjKipgOA+C X-Received: by 2002:a62:e21a:: with SMTP id a26mr15064359pfi.156.1567613034087; Wed, 04 Sep 2019 09:03:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567613034; cv=none; d=google.com; s=arc-20160816; b=HD5ECMn7z1j7tLHU4/wB2/9WZL3g1lhxprkKkbLfbwup3GY65aHPozys3AA5FZUDF2 7OtJk+P1+2olEaDkEv+uQWsOR1MzWFo/ufJF8CNf/O0/GPwmiSXQg8WvRu9yd38qgEXN A4nWsLIUs/adySmCm4acPbb1rdpWSf9pknJ1I9s7R/NZRTarrLt/p/bQecRpMUT6TdSg bbIv8ThGItzl6bT9bC3NaMhLOaCJLj+suRlJUcrzaNRbWf9ydcPQ4mIozMv/4gXsMeBc s+8eQ6h/64zwo5hfF+Q6EOtaWTaW+htN/hyxBZXYX0LBQsV0NBua8A6jIU90oW6QuZU+ Rxzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qdkpjv/bZ2lIEk5X+tFdEgL+mJhBRPFpnDdvWwMX9Xc=; b=Ra+432wOOx+av/vunwUUFkWqmbbpFC0F4aUwOIhu1ymPHGpaoN8Fv9R1v51nrig0x9 qfLOJGCUDl0alAcAlcsATJhqvSocfI5OgMF5aaT1rhyyDH+kCsN5AMikctCAob1tv8ux R4151AJ78Kkb48iNPOwwvdybuPM10Q9IaSKhOv/g5g/pqbBNP1p4r8yYdoF5qP3JtBgG JYLSPQpGsTXXf8PzY6pNNOUN6Wv85ODjM/ku6B+Z7ktRX06WYjACjvabpvARJZfvwhAo hQRmJniZOBnJf9uw+iWlE4kxojKBECFYDNI2x0hsSiW5GscfSlO+xkDC8ynS+XkkcPTX Gn7w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=N8gFXNfw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q11si17663766pgk.194.2019.09.04.09.03.53; Wed, 04 Sep 2019 09:03:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=N8gFXNfw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733117AbfIDQDw (ORCPT + 28 others); Wed, 4 Sep 2019 12:03:52 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:46576 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731541AbfIDQDt (ORCPT ); Wed, 4 Sep 2019 12:03:49 -0400 Received: by mail-lf1-f66.google.com with SMTP id t8so3927783lfc.13 for ; Wed, 04 Sep 2019 09:03:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qdkpjv/bZ2lIEk5X+tFdEgL+mJhBRPFpnDdvWwMX9Xc=; b=N8gFXNfwqngfpITkERemx7Ltu0Dlkimbs/trkm5uy96D6tIWPHX+pNnCgQH1JxBihu IUrf7jLBw1JFSWWDRnalf9mB+yNxxdG069bZzIjwJ4zwb/qe7WxIcKRgxPPfGKgR6AGk 4cnEy7ibBSOP6zo70HU5OxGp7HUKh81yvJsJ2YsMSEHK6/LXkPSokNqCrVMYSD3+bB4e kS75lVIGNArGDrvZt0feVALLQxuzWS+xVJQxen3vpDfiaItT/4Y+cy1RBN1sxFZ96kAI E9/nkH2UsoZHaIdiXJmDlCysFakZHUVnixHRNlY6m99sKIXP1K2Iej7CxYqjC5k4ZoQJ d98g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=qdkpjv/bZ2lIEk5X+tFdEgL+mJhBRPFpnDdvWwMX9Xc=; b=Qa80BenDG4+gBaDdLh8e1waXmm3zptqv149IY3bLsGs43n3lWxUFBimAluIaKjSvhD /Z92eC/JKuRATcj3yp/5730aq0Veaq4iBa/LJ3OOXdQH4W5ZkR+WrzG3anj+vIsitR5g F+AmvsRlRipfsxyfPZj1KbBFEN1Mu8kv7eHhkLZM71BDb+sK2QDrKeE3yy5KxGLxzCs1 O6KwqZvxAAtu46erw9k5+OcV60U/GSpaOQhcWVzPvpySg67whoMr6/Idr8s07H6SxSOp wTMagVXhHwVWitUA1xgaQPfCBE4CGM6zpUd8hVLQFbM83ueRBZMGSn1tysG9vBhpNGWd 5NdQ== X-Gm-Message-State: APjAAAUna2PIO4IoK6TppRgT04EGYRq0eL0b83ScTn0KXMyrj+cZuPKH xZf2dH/kuBVpOcSQlrm/xSY+FA== X-Received: by 2002:a19:6549:: with SMTP id c9mr3188567lfj.99.1567613027790; Wed, 04 Sep 2019 09:03:47 -0700 (PDT) Received: from localhost.localdomain (ua-84-219-138-247.bbcust.telenor.se. [84.219.138.247]) by smtp.gmail.com with ESMTPSA id r8sm556064lfm.71.2019.09.04.09.03.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2019 09:03:47 -0700 (PDT) From: Niklas Cassel To: Jingoo Han , Gustavo Pimentel Cc: Niklas Cassel , Lorenzo Pieralisi , Bjorn Helgaas , linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] PCI: dwc: fix find_next_bit() usage Date: Wed, 4 Sep 2019 18:03:38 +0200 Message-Id: <20190904160339.2800-1-niklas.cassel@linaro.org> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org find_next_bit() takes a parameter of size long, and performs arithmetic that assumes that the argument is of size long. Therefore we cannot pass a u32, since this will cause find_next_bit() to read outside the stack buffer and will produce the following print: BUG: KASAN: stack-out-of-bounds in find_next_bit+0x38/0xb0 Fixes: 1b497e6493c4 ("PCI: dwc: Fix uninitialized variable in dw_handle_msi_irq()") Signed-off-by: Niklas Cassel --- drivers/pci/controller/dwc/pcie-designware-host.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) -- 2.21.0 Acked-by: Gustavo Pimentel Reviewed-by: Andrew Murray Tested-by: Bjorn Andersson diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index d3156446ff27..45f21640c977 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -78,7 +78,8 @@ static struct msi_domain_info dw_pcie_msi_domain_info = { irqreturn_t dw_handle_msi_irq(struct pcie_port *pp) { int i, pos, irq; - u32 val, num_ctrls; + unsigned long val; + u32 status, num_ctrls; irqreturn_t ret = IRQ_NONE; num_ctrls = pp->num_vectors / MAX_MSI_IRQS_PER_CTRL; @@ -86,14 +87,14 @@ irqreturn_t dw_handle_msi_irq(struct pcie_port *pp) for (i = 0; i < num_ctrls; i++) { dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + (i * MSI_REG_CTRL_BLOCK_SIZE), - 4, &val); - if (!val) + 4, &status); + if (!status) continue; ret = IRQ_HANDLED; + val = status; pos = 0; - while ((pos = find_next_bit((unsigned long *) &val, - MAX_MSI_IRQS_PER_CTRL, + while ((pos = find_next_bit(&val, MAX_MSI_IRQS_PER_CTRL, pos)) != MAX_MSI_IRQS_PER_CTRL) { irq = irq_find_mapping(pp->irq_domain, (i * MAX_MSI_IRQS_PER_CTRL) +