hw/dma/xlnx_dpdma.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-)
Add a type cast and use extract64() instead of extract32()
to avoid integer overflow on addition. Fix bit fields
extraction according to documentation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: d3c6369a96 ("introduce xlnx-dpdma")
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
hw/dma/xlnx_dpdma.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c
index 1f5cd64ed1..52e8c594fe 100644
--- a/hw/dma/xlnx_dpdma.c
+++ b/hw/dma/xlnx_dpdma.c
@@ -175,24 +175,24 @@ static uint64_t xlnx_dpdma_desc_get_source_address(DPDMADescriptor *desc,
switch (frag) {
case 0:
- addr = desc->source_address
- + (extract32(desc->address_extension, 16, 12) << 20);
+ addr = (uint64_t)desc->source_address
+ + (extract64(desc->address_extension, 16, 12) << 20);
break;
case 1:
- addr = desc->source_address2
- + (extract32(desc->address_extension_23, 0, 12) << 8);
+ addr = (uint64_t)desc->source_address2
+ + (extract64(desc->address_extension_23, 0, 12) << 8);
break;
case 2:
- addr = desc->source_address3
- + (extract32(desc->address_extension_23, 16, 12) << 20);
+ addr = (uint64_t)desc->source_address3
+ + (extract64(desc->address_extension_23, 16, 12) << 20);
break;
case 3:
- addr = desc->source_address4
- + (extract32(desc->address_extension_45, 0, 12) << 8);
+ addr = (uint64_t)desc->source_address4
+ + (extract64(desc->address_extension_45, 0, 12) << 8);
break;
case 4:
- addr = desc->source_address5
- + (extract32(desc->address_extension_45, 16, 12) << 20);
+ addr = (uint64_t)desc->source_address5
+ + (extract64(desc->address_extension_45, 16, 12) << 20);
break;
default:
addr = 0;
--
2.30.2
On Wed, 24 Apr 2024 at 19:13, Alexandra Diupina <adiupina@astralinux.ru> wrote: > > Add a type cast and use extract64() instead of extract32() > to avoid integer overflow on addition. Fix bit fields > extraction according to documentation. The commit message here says we make the handling of the address_extension fields match the documentation, and the version of the fixes to this function in the patch "[PATCH v2 RFC] fix host-endianness bug and prevent overflow" did that, but here we seem to have gone back to not changing the shift amounts. We also need to extract all 16 bits of the address_extension fields, not just 12, according to the datasheet. thanks -- PMM
© 2016 - 2024 Red Hat, Inc.