[U-Boot] mmc: cat u8 to u64 to avoid unexpected error

Message ID	1473755277-23489-1-git-send-email-haibo.chen@nxp.com
State	Changes Requested
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Haibo Chen <haibo.chen@nxp.com> To: <u-boot@lists.denx.de> Date: Tue, 13 Sep 2016 16:27:57 +0800 Message-ID: <1473755277-23489-1-git-send-email-haibo.chen@nxp.com> MIME-Version: 1.0 Received-SPF: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DB6PR0401MB2325; 23:DEC1t9K/1+qLK/T26x9hR6iGnZj65hPS3l3iH4m?= =?us-ascii?Q?Oe4/O4dFTtTZPK5oE5NnFcBdVIO194ioDJg+QURQBggfyzPb2EKv54prNkw2?= =?us-ascii?Q?SrRl7UQspC9NR8qFawQi0qqzCHJpf0+83253DTanghzs0Rzz2s2T85WKW1Th?= =?us-ascii?Q?Qt3Y+KFUc6XdbVFfHHl6TXj7RCtZ5/Y13TsgPQCx/osTULmdmH+wGyU6izDG?= =?us-ascii?Q?XHnRhTm3yuuBt41tmLe83aiTa14mwJR+UIRXcGiO4yAAvsn2CfaiXHCtwWzi?= =?us-ascii?Q?gDsYUkeY2ByAV4nv4mdlGX0RqXK3tz3zIrOX3QaQKhMKSeGQnKWndmnampq0?= =?us-ascii?Q?s7II3u4uJnNxN1WfYEBCtC5Qa8iIc9aamkzOcJrtzeuKzsJ9+e5vucKZ2+rC?= =?us-ascii?Q?cr9GTZvuMVOAQcy85beNjikcaFgtMwC1gmHM2VOOJakT9VbLHc+rp+1YsZOY?= =?us-ascii?Q?qmWXwvrdlinz45PS8GA11GEdU9XOp9bSnRCKpIys6+qYqcl41zJcFcDT9dR5?= =?us-ascii?Q?BJgViwVZ8oiFGRfpvKeW8p/etwbAnAiLaK+ZDR7ZPhJdoInmV/bu4I2spKNE?= =?us-ascii?Q?Gq/vPFOoVzClgekMSeOhzBpOIL0DpPLaUi6yII+7hDDUORaVDWBnb67Z0tCN?= =?us-ascii?Q?yNxSVtGg2VXWID2a5AuVHybc8BzeOhr1FqLwFIVbFMYuivEM5VQ4eoin3cOo?= =?us-ascii?Q?fCDxm+jsH63IeIQaSfMWMHQvbZpLFniLUqSwbz60WUw3/JH8CdISvvfTsYLI?= =?us-ascii?Q?oN8ubFaMgjZZT+cVnok+a1yu2LfsfWxyV2Di+DYWIL28t3Xh0TeJ7UipLTY0?= =?us-ascii?Q?VULNlS3KtpmuKaVfXpWxBDUyncUv87UeeFF8OINLC91r0vtnzf/S6aYQJ+md?= =?us-ascii?Q?5CeLaAWga80Wbd8ocpK9Wwp2LPKTH8ImEfmGyd096/Vm54ifTqL+ZmCjtz3U?= =?us-ascii?Q?7KQ9cqniX61+gY60hiaX3x33SshSdEs3orZfaPEigFQeb3qgn3HG3hkfQyj3?= =?us-ascii?Q?2iPgNn7GKcyjxGGAhqQpc2G/C/wEgRvg4KrPRqqY3MB3oBtmKgipVTL13u8+?= =?us-ascii?Q?Z/cVbtjJYmHBbCU9VaKvCLQGhem/kER8Efg3yBHu9LZolkaHrczlwrT5ew4x?= =?us-ascii?Q?3W6kUeCYxSDk=3D?= X-Microsoft-Exchange-Diagnostics: 1; DB6PR0401MB2325; 6:M1E3dbsPQzzCrr006iunwD3Lzp1MEorHIxay+aar9spp5CI+fRoxs8jYUMpG1tb2wnio/VmtUT8xOiYgwQLyWCgsCWa72nDOFbIz/hfFx4ep8T2wEVIDbFUf2la8/m+rN9/JgQRu/vKvWptOi6MKQhHkv4nBf+lau5BPa48o5Hd7Wc9kI2EfyMsBonzayqtzEkRuNSRAw6JkZXCkZWaGKPAZvwsW7MqgFZWqO1msQWyswlHcJEalJP5xAwI2A6rex1XdAMsJhrrOT5H/9VJtWz1TaVbbqD+hPMLVeXEblC7SnNvryi0piKL8cnJKQfRApzZl7TxMVPpGBgzjqDB+dA==; 5:DWs654mig85QMNw8qzH6LkBTR0CHOiWKWktBjQbCoDIpp7bDjC8EB5zYSSbm6r5Aa3cKxEOjkDWNn2l3Xv1sXzKP2W/71y3uhnxh/fKVL1CjJEMYQVZpE8j9eoenUrnbpynZouHGlFCcOeICnoXBhA==; 24:S76S47SECTQ0fW+A53mqlr/9WdKvp6Jv9u4aBZdYjMmnTJ/Lwk90IHjMppJ1IK+OBDU07BVtcUzz+j/QKPM9kI0WEtKUv802OiQn7W9Amg4=; 7:ts6XKh/56M+rUSeCZy7qVZf3Dm1WSm4Q/ARqprfzr8MeKfDdpAJV9mvXnZQhwo3OWzSDy2e/hhYlcNmr/CLHMP5cQsnOim3PH7pMYB7BYGKOuCEnn0nMxsEipquMGvePYqIqtDIY/B3hf5dqA2F1qeFwRy0iJCC0KYIINShsE3WUf5v0eWUTfhP6Rf8bIlUkX9mKzq/xJZKYj+F4zYOh54IPyt9L22gD9ztCPzTd6zzAfx6LzbIeWB7Wf8Dr/5NG SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM Cc: haibo.chen@nxp.com Subject: [U-Boot] [PATCH] mmc: cat u8 to u64 to avoid unexpected error Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Bough Chen Sept. 13, 2016, 8:27 a.m. UTC

Suspicious implicit sign extension exist. ext_csd[] is defined
as "u8", capacity is defined as u64, so u8 is promoted to signed
int first int the "|" expersion, then the sign extended to u64.
if the tmp sign value is largeer than 0x7fffffff, after the sign
extension, the upper bits of the result will all be 1.
Thanks to coverity <http://www.coverity.com>

e.g.
	u8  data_8;
	u64 data_64;

	data_8 = 0x80;
	data_64 = data_8 << 24; //0xffffffff80000000
	data_64 = ((u64)data_8) << 24;  //0x80000000

Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
---
 drivers/mmc/mmc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Tom Rini Sept. 18, 2016, 5:53 p.m. UTC | #1

On Tue, Sep 13, 2016 at 04:27:57PM +0800, Haibo Chen wrote:

> Suspicious implicit sign extension exist. ext_csd[] is defined
> as "u8", capacity is defined as u64, so u8 is promoted to signed
> int first int the "|" expersion, then the sign extended to u64.
> if the tmp sign value is largeer than 0x7fffffff, after the sign
> extension, the upper bits of the result will all be 1.
> Thanks to coverity <http://www.coverity.com>
> 
> e.g.
> 	u8  data_8;
> 	u64 data_64;
> 
> 	data_8 = 0x80;
> 	data_64 = data_8 << 24; //0xffffffff80000000
> 	data_64 = ((u64)data_8) << 24;  //0x80000000
> 
> Signed-off-by: Haibo Chen <haibo.chen@nxp.com>

Please add a 'Reported-by: Coverity' and you can include the CID if you
like.

> ---
>  drivers/mmc/mmc.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
> index 43ea0bb..c1d1dc6 100644
> --- a/drivers/mmc/mmc.c
> +++ b/drivers/mmc/mmc.c
> @@ -1176,10 +1176,10 @@ static int mmc_startup(struct mmc *mmc)
>  			 * ext_csd's capacity is valid if the value is more
>  			 * than 2GB
>  			 */
> -			capacity = ext_csd[EXT_CSD_SEC_CNT] << 0
> -					| ext_csd[EXT_CSD_SEC_CNT + 1] << 8
> -					| ext_csd[EXT_CSD_SEC_CNT + 2] << 16
> -					| ext_csd[EXT_CSD_SEC_CNT + 3] << 24;
> +			capacity = ((u64)ext_csd[EXT_CSD_SEC_CNT]) << 0
> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 1]) << 8
> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 2]) << 16
> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 3]) << 24;
>  			capacity *= MMC_MAX_BLOCK_LEN;
>  			if ((capacity >> 20) > 2 * 1024)
>  				mmc->capacity_user = capacity;

Can't we just move capacity down to a u8 instead?  Thanks!

Jaehoon Chung Sept. 19, 2016, 6:31 a.m. UTC | #2

On 09/19/2016 02:53 AM, Tom Rini wrote:
> On Tue, Sep 13, 2016 at 04:27:57PM +0800, Haibo Chen wrote:
> 
>> Suspicious implicit sign extension exist. ext_csd[] is defined
>> as "u8", capacity is defined as u64, so u8 is promoted to signed
>> int first int the "|" expersion, then the sign extended to u64.
>> if the tmp sign value is largeer than 0x7fffffff, after the sign
>> extension, the upper bits of the result will all be 1.
>> Thanks to coverity <http://www.coverity.com>
>>
>> e.g.
>> 	u8  data_8;
>> 	u64 data_64;
>>
>> 	data_8 = 0x80;
>> 	data_64 = data_8 << 24; //0xffffffff80000000
>> 	data_64 = ((u64)data_8) << 24;  //0x80000000
>>
>> Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
> 
> Please add a 'Reported-by: Coverity' and you can include the CID if you
> like.

I think cid doesn't need to change type.

> 
>> ---
>>  drivers/mmc/mmc.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
>> index 43ea0bb..c1d1dc6 100644
>> --- a/drivers/mmc/mmc.c
>> +++ b/drivers/mmc/mmc.c
>> @@ -1176,10 +1176,10 @@ static int mmc_startup(struct mmc *mmc)
>>  			 * ext_csd's capacity is valid if the value is more
>>  			 * than 2GB
>>  			 */
>> -			capacity = ext_csd[EXT_CSD_SEC_CNT] << 0
>> -					| ext_csd[EXT_CSD_SEC_CNT + 1] << 8
>> -					| ext_csd[EXT_CSD_SEC_CNT + 2] << 16
>> -					| ext_csd[EXT_CSD_SEC_CNT + 3] << 24;
>> +			capacity = ((u64)ext_csd[EXT_CSD_SEC_CNT]) << 0
>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 1]) << 8
>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 2]) << 16
>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 3]) << 24;
>>  			capacity *= MMC_MAX_BLOCK_LEN;
>>  			if ((capacity >> 20) > 2 * 1024)
>>  				mmc->capacity_user = capacity;
> 
> Can't we just move capacity down to a u8 instead?  Thanks!

Maybe not to move down to a u8..because it's displayed the real capacity for storage.

And i wonder that coverity didn't report about the line 1294?

Best Regards,
Jaehoon Chung

> 
> 
> 
> _______________________________________________
> U-Boot mailing list
> U-Boot@lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>

Tom Rini Sept. 19, 2016, 11:30 a.m. UTC | #3

On Mon, Sep 19, 2016 at 03:31:54PM +0900, Jaehoon Chung wrote:
> On 09/19/2016 02:53 AM, Tom Rini wrote:
> > On Tue, Sep 13, 2016 at 04:27:57PM +0800, Haibo Chen wrote:
> > 
> >> Suspicious implicit sign extension exist. ext_csd[] is defined
> >> as "u8", capacity is defined as u64, so u8 is promoted to signed
> >> int first int the "|" expersion, then the sign extended to u64.
> >> if the tmp sign value is largeer than 0x7fffffff, after the sign
> >> extension, the upper bits of the result will all be 1.
> >> Thanks to coverity <http://www.coverity.com>
> >>
> >> e.g.
> >> 	u8  data_8;
> >> 	u64 data_64;
> >>
> >> 	data_8 = 0x80;
> >> 	data_64 = data_8 << 24; //0xffffffff80000000
> >> 	data_64 = ((u64)data_8) << 24;  //0x80000000
> >>
> >> Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
> > 
> > Please add a 'Reported-by: Coverity' and you can include the CID if you
> > like.
> 
> I think cid doesn't need to change type.

I mean the coverity CID :)  In the public coverity project it's 149300

> 
> > 
> >> ---
> >>  drivers/mmc/mmc.c | 8 ++++----
> >>  1 file changed, 4 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
> >> index 43ea0bb..c1d1dc6 100644
> >> --- a/drivers/mmc/mmc.c
> >> +++ b/drivers/mmc/mmc.c
> >> @@ -1176,10 +1176,10 @@ static int mmc_startup(struct mmc *mmc)
> >>  			 * ext_csd's capacity is valid if the value is more
> >>  			 * than 2GB
> >>  			 */
> >> -			capacity = ext_csd[EXT_CSD_SEC_CNT] << 0
> >> -					| ext_csd[EXT_CSD_SEC_CNT + 1] << 8
> >> -					| ext_csd[EXT_CSD_SEC_CNT + 2] << 16
> >> -					| ext_csd[EXT_CSD_SEC_CNT + 3] << 24;
> >> +			capacity = ((u64)ext_csd[EXT_CSD_SEC_CNT]) << 0
> >> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 1]) << 8
> >> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 2]) << 16
> >> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 3]) << 24;
> >>  			capacity *= MMC_MAX_BLOCK_LEN;
> >>  			if ((capacity >> 20) > 2 * 1024)
> >>  				mmc->capacity_user = capacity;
> > 
> > Can't we just move capacity down to a u8 instead?  Thanks!
> 
> Maybe not to move down to a u8..because it's displayed the real capacity for storage.

We could update those lines too?  It's just that one case right there,
yes?

> And i wonder that coverity didn't report about the line 1294?

It does, along with 1256.

Thanks!

Jaehoon Chung Sept. 20, 2016, 2:04 a.m. UTC | #4

On 09/19/2016 08:30 PM, Tom Rini wrote:
> On Mon, Sep 19, 2016 at 03:31:54PM +0900, Jaehoon Chung wrote:
>> On 09/19/2016 02:53 AM, Tom Rini wrote:
>>> On Tue, Sep 13, 2016 at 04:27:57PM +0800, Haibo Chen wrote:
>>>
>>>> Suspicious implicit sign extension exist. ext_csd[] is defined
>>>> as "u8", capacity is defined as u64, so u8 is promoted to signed
>>>> int first int the "|" expersion, then the sign extended to u64.
>>>> if the tmp sign value is largeer than 0x7fffffff, after the sign
>>>> extension, the upper bits of the result will all be 1.
>>>> Thanks to coverity <http://www.coverity.com>
>>>>
>>>> e.g.
>>>> 	u8  data_8;
>>>> 	u64 data_64;
>>>>
>>>> 	data_8 = 0x80;
>>>> 	data_64 = data_8 << 24; //0xffffffff80000000
>>>> 	data_64 = ((u64)data_8) << 24;  //0x80000000
>>>>
>>>> Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
>>>
>>> Please add a 'Reported-by: Coverity' and you can include the CID if you
>>> like.
>>
>> I think cid doesn't need to change type.
> 
> I mean the coverity CID :)  In the public coverity project it's 149300

Ah! I misunderstood CID as cid register. :)

> 
>>
>>>
>>>> ---
>>>>  drivers/mmc/mmc.c | 8 ++++----
>>>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
>>>> index 43ea0bb..c1d1dc6 100644
>>>> --- a/drivers/mmc/mmc.c
>>>> +++ b/drivers/mmc/mmc.c
>>>> @@ -1176,10 +1176,10 @@ static int mmc_startup(struct mmc *mmc)
>>>>  			 * ext_csd's capacity is valid if the value is more
>>>>  			 * than 2GB
>>>>  			 */
>>>> -			capacity = ext_csd[EXT_CSD_SEC_CNT] << 0
>>>> -					| ext_csd[EXT_CSD_SEC_CNT + 1] << 8
>>>> -					| ext_csd[EXT_CSD_SEC_CNT + 2] << 16
>>>> -					| ext_csd[EXT_CSD_SEC_CNT + 3] << 24;
>>>> +			capacity = ((u64)ext_csd[EXT_CSD_SEC_CNT]) << 0
>>>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 1]) << 8
>>>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 2]) << 16
>>>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 3]) << 24;
>>>>  			capacity *= MMC_MAX_BLOCK_LEN;
>>>>  			if ((capacity >> 20) > 2 * 1024)
>>>>  				mmc->capacity_user = capacity;
>>>
>>> Can't we just move capacity down to a u8 instead?  Thanks!
>>
>> Maybe not to move down to a u8..because it's displayed the real capacity for storage.
> 
> We could update those lines too?  It's just that one case right there,
> yes?

If it's possible to calculate the correct capacity?

Best Regards,
Jaehoon Chung

> 
>> And i wonder that coverity didn't report about the line 1294?
> 
> It does, along with 1256.
> 
> Thanks!
>

Tom Rini Sept. 20, 2016, 2:12 a.m. UTC | #5

On Tue, Sep 20, 2016 at 11:04:40AM +0900, Jaehoon Chung wrote:
> On 09/19/2016 08:30 PM, Tom Rini wrote:
> > On Mon, Sep 19, 2016 at 03:31:54PM +0900, Jaehoon Chung wrote:
> >> On 09/19/2016 02:53 AM, Tom Rini wrote:
> >>> On Tue, Sep 13, 2016 at 04:27:57PM +0800, Haibo Chen wrote:
> >>>
> >>>> Suspicious implicit sign extension exist. ext_csd[] is defined
> >>>> as "u8", capacity is defined as u64, so u8 is promoted to signed
> >>>> int first int the "|" expersion, then the sign extended to u64.
> >>>> if the tmp sign value is largeer than 0x7fffffff, after the sign
> >>>> extension, the upper bits of the result will all be 1.
> >>>> Thanks to coverity <http://www.coverity.com>
> >>>>
> >>>> e.g.
> >>>> 	u8  data_8;
> >>>> 	u64 data_64;
> >>>>
> >>>> 	data_8 = 0x80;
> >>>> 	data_64 = data_8 << 24; //0xffffffff80000000
> >>>> 	data_64 = ((u64)data_8) << 24;  //0x80000000
> >>>>
> >>>> Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
> >>>
> >>> Please add a 'Reported-by: Coverity' and you can include the CID if you
> >>> like.
> >>
> >> I think cid doesn't need to change type.
> > 
> > I mean the coverity CID :)  In the public coverity project it's 149300
> 
> Ah! I misunderstood CID as cid register. :)
> 
> > 
> >>
> >>>
> >>>> ---
> >>>>  drivers/mmc/mmc.c | 8 ++++----
> >>>>  1 file changed, 4 insertions(+), 4 deletions(-)
> >>>>
> >>>> diff --git a/drivers/mmc/mmc.c b/drivers/mmc/mmc.c
> >>>> index 43ea0bb..c1d1dc6 100644
> >>>> --- a/drivers/mmc/mmc.c
> >>>> +++ b/drivers/mmc/mmc.c
> >>>> @@ -1176,10 +1176,10 @@ static int mmc_startup(struct mmc *mmc)
> >>>>  			 * ext_csd's capacity is valid if the value is more
> >>>>  			 * than 2GB
> >>>>  			 */
> >>>> -			capacity = ext_csd[EXT_CSD_SEC_CNT] << 0
> >>>> -					| ext_csd[EXT_CSD_SEC_CNT + 1] << 8
> >>>> -					| ext_csd[EXT_CSD_SEC_CNT + 2] << 16
> >>>> -					| ext_csd[EXT_CSD_SEC_CNT + 3] << 24;
> >>>> +			capacity = ((u64)ext_csd[EXT_CSD_SEC_CNT]) << 0
> >>>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 1]) << 8
> >>>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 2]) << 16
> >>>> +					| ((u64)ext_csd[EXT_CSD_SEC_CNT + 3]) << 24;
> >>>>  			capacity *= MMC_MAX_BLOCK_LEN;
> >>>>  			if ((capacity >> 20) > 2 * 1024)
> >>>>  				mmc->capacity_user = capacity;
> >>>
> >>> Can't we just move capacity down to a u8 instead?  Thanks!
> >>
> >> Maybe not to move down to a u8..because it's displayed the real capacity for storage.
> > 
> > We could update those lines too?  It's just that one case right there,
> > yes?
> 
> If it's possible to calculate the correct capacity?

... I think?  I hadn't had my coffee yet when I did a quick compile test
this morning but it looks like all of the uses of capacity would fit
into a u8.  Someone should check and make a formal patch :)

[U-Boot] mmc: cat u8 to u64 to avoid unexpected error

Commit Message

Comments

Patch