On Tue, Oct 29, 2024 at 06:43:15PM +0200, Vladimir Oltean wrote: > struct qm_sg_entry :: offset is a 13-bit field, declared as __be16. > > When using be32_to_cpu(), a wrong value will be calculated on little > endian systems (Arm), because type promotion from 16-bit to 32-bit, > which is done before the byte swap and always in the CPU native > endianness, changes the value of the scatter/gather list entry offset in > big-endian interpretation (adds two zero bytes in the LSB interpretation). > The result of the byte swap is ANDed with GENMASK(12, 0), so the result > is always zero, because only those bytes added by type promotion remain > after the application of the bit mask. > > The impact of the bug is that scatter/gather frames with a non-zero > offset into the buffer are treated by the driver as if they had a zero > offset. This is all in theory, because in practice, qm_sg_entry_get_off() > has a single caller, where the bug is inconsequential, because at that > call site the buffer offset will always be zero, as will be explained in > the subsequent change. > > Flagged by sparse: > > warning: cast to restricted __be32 > warning: cast from restricted __be16 > > Signed-off-by: Vladimir Oltean <vladimir.olt...@nxp.com>
Reviewed-by: Breno Leitao <lei...@debian.org>
