In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)'
is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits
and so always evaluates to zero. Looking through brcmsmac's
'wlc_lcnphy_start_tx_tone()', the result should be masked instead,
i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Suggested-by: Jonas Gorski <[email protected]>
Signed-off-by: Dmitry Antipov <[email protected]>
---
drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
index 0e5c076e7544..e8ef04e509aa 100644
--- a/drivers/net/wireless/broadcom/b43/phy_lp.c
+++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
@@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max)
for (i = 0; i < samples; i++) {
sample = cordic_calc_iq(CORDIC_FIXED(theta));
theta += rotation;
- buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8;
- buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF);
+ buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8);
+ buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF);
}
b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
--
2.41.0
On 6/27/23 08:00, Dmitry Antipov wrote:
> In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)'
> is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits
> and so always evaluates to zero. Looking through brcmsmac's
> 'wlc_lcnphy_start_tx_tone()', the result should be masked instead,
> i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Suggested-by: Jonas Gorski <[email protected]>
> Signed-off-by: Dmitry Antipov <[email protected]>
> ---
> drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
> index 0e5c076e7544..e8ef04e509aa 100644
> --- a/drivers/net/wireless/broadcom/b43/phy_lp.c
> +++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
> @@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max)
> for (i = 0; i < samples; i++) {
> sample = cordic_calc_iq(CORDIC_FIXED(theta));
> theta += rotation;
> - buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8;
> - buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF);
> + buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8);
> + buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF);
> }
>
> b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
This has not yet been tested, but it does need a "Fixes:" tag, and a Cc for stable.
Larry
In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)'
is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits
and so always evaluates to zero. Looking through brcmsmac's
'wlc_lcnphy_start_tx_tone()', the result should be masked instead,
i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
Fixes: 6f98e62a9f1b ("b43: update cordic code to match current specs")
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Cc: [email protected]
Suggested-by: Jonas Gorski <[email protected]>
Signed-off-by: Dmitry Antipov <[email protected]>
---
v2: add Cc: stable and Fixes: (Larry Finger)
---
drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
index 0e5c076e7544..e8ef04e509aa 100644
--- a/drivers/net/wireless/broadcom/b43/phy_lp.c
+++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
@@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max)
for (i = 0; i < samples; i++) {
sample = cordic_calc_iq(CORDIC_FIXED(theta));
theta += rotation;
- buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8;
- buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF);
+ buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8);
+ buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF);
}
b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
--
2.41.0
From: Dmitry Antipov
> Sent: 27 June 2023 16:14
>
> In 'lpphy_start_tx_tone()', 'CORDIC_FLOAT((sample.i * max) & 0xFF)'
> is invalid because it is (<32-bit> & 0xff) shifted right by 15 bits
> and so always evaluates to zero. Looking through brcmsmac's
> 'wlc_lcnphy_start_tx_tone()', the result should be masked instead,
> i. e. 'CORDIC_FLOAT(sample[i].max) & 0xFF'.
>
> Fixes: 6f98e62a9f1b ("b43: update cordic code to match current specs")
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Cc: [email protected]
> Suggested-by: Jonas Gorski <[email protected]>
> Signed-off-by: Dmitry Antipov <[email protected]>
> ---
> v2: add Cc: stable and Fixes: (Larry Finger)
> ---
> drivers/net/wireless/broadcom/b43/phy_lp.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43/phy_lp.c b/drivers/net/wireless/broadcom/b43/phy_lp.c
> index 0e5c076e7544..e8ef04e509aa 100644
> --- a/drivers/net/wireless/broadcom/b43/phy_lp.c
> +++ b/drivers/net/wireless/broadcom/b43/phy_lp.c
> @@ -1788,8 +1788,8 @@ static void lpphy_start_tx_tone(struct b43_wldev *dev, s32 freq, u16 max)
> for (i = 0; i < samples; i++) {
> sample = cordic_calc_iq(CORDIC_FIXED(theta));
> theta += rotation;
> - buf[i] = CORDIC_FLOAT((sample.i * max) & 0xFF) << 8;
> - buf[i] |= CORDIC_FLOAT((sample.q * max) & 0xFF);
> + buf[i] = (u16)((CORDIC_FLOAT(sample.i * max) & 0xFF) << 8);
> + buf[i] |= (u16)(CORDIC_FLOAT(sample.q * max) & 0xFF);
What are the (u16) casts for?
This code is actually called exactly once with max == 100.
The .i and .q are the sine and cosine << 16 (signed).
The CORDIC_FLOAT() is basically >> 16 (not 15) so the result should
be between -100 and +100.
The & 0xFF is there to strip the sign.
The sin+cos are then packed into a short[] then unpacked to be
written to the hardware later.
> }
>
> b43_lptab_write_bulk(dev, B43_LPTAB16(5, 0), samples, buf);
Don't open the bag of worms that contains the above :-)
David
> --
> 2.41.0
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
On 6/28/23 11:24, David Laight wrote:
> What are the (u16) casts for?
Well, this is a kind of a C language purism intended to silence
warning: conversion from ‘int’ to ‘u16’ {aka ‘short unsigned int’} may change value [-Wconversion]
observed with W=123.
Dmitry
From: Dmitry Antipov
> Sent: 28 June 2023 11:45
>
> On 6/28/23 11:24, David Laight wrote:
>
> > What are the (u16) casts for?
>
> Well, this is a kind of a C language purism intended to silence
> warning: conversion from ‘int’ to ‘u16’ {aka ‘short unsigned int’} may change value [-Wconversion]
> observed with W=123.
The problem is that the casts can hide more than just a value being truncated.
In this case the compiler even knows the values don't overflow.
FWIW I've seen generated code for:
*cp++ = (unsigned char)(value & 0xff);
that masked the value with 0xff once for the & a second time for
the cast and then stored the low byte.
I don't think modern gcc will do that, but a dumb compiler will.
If -Wconversion bleats about these sort of assignments it just
needs permanently disabling (or deleting from the compiler!).
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)