sound/soc/renesas/rz-ssi.c | 2 ++ 1 file changed, 2 insertions(+)
My static checker rule complains about this code. The concern is that
if "sample_space" is negative then the "sample_space >= runtime->channels"
condition will not work as intended because it will be type promoted to a
high unsigned int value.
strm->fifo_sample_size is SSI_FIFO_DEPTH (32). The SSIFSR_TDC_MASK is
0x3f. Without any further context it does seem like a reasonable warning
and it can't hurt to add a check for negatives.
Cc: stable@vger.kernel.org
Fixes: 03e786bd4341 ("ASoC: sh: Add RZ/G2L SSIF-2 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
sound/soc/renesas/rz-ssi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/renesas/rz-ssi.c b/sound/soc/renesas/rz-ssi.c
index d48e2e7356b6..3a0af4ca7ab6 100644
--- a/sound/soc/renesas/rz-ssi.c
+++ b/sound/soc/renesas/rz-ssi.c
@@ -521,6 +521,8 @@ static int rz_ssi_pio_send(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm)
sample_space = strm->fifo_sample_size;
ssifsr = rz_ssi_reg_readl(ssi, SSIFSR);
sample_space -= (ssifsr >> SSIFSR_TDC_SHIFT) & SSIFSR_TDC_MASK;
+ if (sample_space < 0)
+ return -EINVAL;
/* Only add full frames at a time */
while (frames_left && (sample_space >= runtime->channels)) {
--
2.45.2On Wed, 08 Jan 2025 12:28:46 +0300, Dan Carpenter wrote:
> My static checker rule complains about this code. The concern is that
> if "sample_space" is negative then the "sample_space >= runtime->channels"
> condition will not work as intended because it will be type promoted to a
> high unsigned int value.
>
> strm->fifo_sample_size is SSI_FIFO_DEPTH (32). The SSIFSR_TDC_MASK is
> 0x3f. Without any further context it does seem like a reasonable warning
> and it can't hurt to add a check for negatives.
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/1] ASoC: renesas: rz-ssi: Add a check for negative sample_space
commit: 82a0a3e6f8c02b3236b55e784a083fa4ee07c321
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark
Hi Dan,
On Wed, Jan 8, 2025 at 10:29 AM Dan Carpenter <dan.carpenter@linaro.org> wrote:
> My static checker rule complains about this code. The concern is that
> if "sample_space" is negative then the "sample_space >= runtime->channels"
> condition will not work as intended because it will be type promoted to a
> high unsigned int value.
>
> strm->fifo_sample_size is SSI_FIFO_DEPTH (32). The SSIFSR_TDC_MASK is
> 0x3f. Without any further context it does seem like a reasonable warning
> and it can't hurt to add a check for negatives.
>
> Cc: stable@vger.kernel.org
> Fixes: 03e786bd4341 ("ASoC: sh: Add RZ/G2L SSIF-2 driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Thanks for your patch!
> --- a/sound/soc/renesas/rz-ssi.c
> +++ b/sound/soc/renesas/rz-ssi.c
> @@ -521,6 +521,8 @@ static int rz_ssi_pio_send(struct rz_ssi_priv *ssi, struct rz_ssi_stream *strm)
> sample_space = strm->fifo_sample_size;
> ssifsr = rz_ssi_reg_readl(ssi, SSIFSR);
> sample_space -= (ssifsr >> SSIFSR_TDC_SHIFT) & SSIFSR_TDC_MASK;
> + if (sample_space < 0)
> + return -EINVAL;
>
> /* Only add full frames at a time */
> while (frames_left && (sample_space >= runtime->channels)) {
In practice this cannot happen, as the maximum value of the field
is 0x20 (= SSI_FIFO_DEPTH), but better safe than sorry, so
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Biju/Prabhakar: The documentation for the TDC bits in the FIFO Status
Register seems to be incorrect (in all of the RZ/G2L, RZ/G2UL, RZ/G3S,
and RZ/A2M documentation):
TDC[5:0] Bits
These bits indicate the number of valid data that are stored in
the transmit FIFO data register (SSIFTDR). With this flag as H’0,
there is no data to be transmitted. With H’10, there is no space to
write data.
As the FIFO size is 4 bytes x 32 stages for both the transmit and
receive FIFOs, the above should be H'20 instead of H'10.
The documentation for the RDC bits has it right:
RDC[5:0] Bits
These bits indicate the number of valid data that are stored
in the receive FIFO data register (SSIFRDR). With this flag as H’0,
there is no received data. With H’20, the register is filled with
received data and there is no free space.
The documentation for RZ/A1H (not yet supported by the driver)
is also correct (8 stages and H'8).
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
© 2016 - 2025 Red Hat, Inc.