[PATCH 1/2] mm, cma: fix 32-bit warning

[PATCH 1/2] mm, cma: fix 32-bit warning

[Arnd Bergmann]

From: Arnd Bergmann <arnd@arndb.de>

clang warns about certain always-true conditions, like this one on 32-bit
builds:

mm/cma.c:420:13: error: result of comparison of constant 4294967296 with expression of type 'phys_addr_t' (aka 'unsigned int') is always true [-Werror,-Wtautological-constant-out-of-range-compare]
  420 |                 if (start < SZ_4G)
      |                     ~~~~~ ^ ~~~~~

Replace this one with an equivalent expression that does not cause a warning.

Fixes: 4765deffa0f7 ("mm, cma: support multiple contiguous ranges, if requested")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 mm/cma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/cma.c b/mm/cma.c
index 34a4df29af72..ef0206c0f16d 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -417,7 +417,7 @@ int __init cma_declare_contiguous_multi(phys_addr_t total_size,
 	 * Create a list of ranges above 4G, largest range first.
 	 */
 	for_each_free_mem_range(i, nid, MEMBLOCK_NONE, &start, &end, NULL) {
-		if (start < SZ_4G)
+		if (upper_32_bits(start) == 0)
 			continue;
 
 		start = ALIGN(start, align);
-- 
2.39.5

[PATCH 2/2] mm, cma: use literal printf format string

[Arnd Bergmann]

From: Arnd Bergmann <arnd@arndb.de>

Using a variable string as a printf format can be a security issue
that clang warns about when extra warnings are enabled:

mm/cma.c:239:37: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
  239 |                 snprintf(cma->name, CMA_MAX_NAME, name);
      |                                                   ^~~~

This one does not appear to be a security issue since the string is
not user controlled, but it's better to avoid the warning.
Use "%s" as the format instead and just pass the name as the argument.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 mm/cma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/cma.c b/mm/cma.c
index ef0206c0f16d..09322b8284bd 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -236,7 +236,7 @@ static int __init cma_new_area(const char *name, phys_addr_t size,
 	cma_area_count++;
 
 	if (name)
-		snprintf(cma->name, CMA_MAX_NAME, name);
+		snprintf(cma->name, CMA_MAX_NAME, "%s", name);
 	else
 		snprintf(cma->name, CMA_MAX_NAME,  "cma%d\n", cma_area_count);
 
-- 
2.39.5

Re: [PATCH 1/2] mm, cma: fix 32-bit warning

[Zi Yan]

On 24 Feb 2025, at 9:07, Arnd Bergmann wrote:

> From: Arnd Bergmann <arnd@arndb.de>
>
> clang warns about certain always-true conditions, like this one on 32-bit
> builds:
>
> mm/cma.c:420:13: error: result of comparison of constant 4294967296 with expression of type 'phys_addr_t' (aka 'unsigned int') is always true [-Werror,-Wtautological-constant-out-of-range-compare]
>   420 |                 if (start < SZ_4G)
>       |                     ~~~~~ ^ ~~~~~
>
> Replace this one with an equivalent expression that does not cause a warning.
>
> Fixes: 4765deffa0f7 ("mm, cma: support multiple contiguous ranges, if requested")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  mm/cma.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

LGTM. Reviewed-by: Zi Yan <ziy@nvidia.com>

Best Regards,
Yan, Zi

Re: [PATCH 2/2] mm, cma: use literal printf format string

[Zi Yan]

On 24 Feb 2025, at 9:07, Arnd Bergmann wrote:

> From: Arnd Bergmann <arnd@arndb.de>
>
> Using a variable string as a printf format can be a security issue
> that clang warns about when extra warnings are enabled:
>
> mm/cma.c:239:37: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
>   239 |                 snprintf(cma->name, CMA_MAX_NAME, name);
>       |                                                   ^~~~
>
> This one does not appear to be a security issue since the string is
> not user controlled, but it's better to avoid the warning.
> Use "%s" as the format instead and just pass the name as the argument.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  mm/cma.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
LGTM. Reviewed-by: Zi Yan <ziy@nvidia.com>

Best Regards,
Yan, Zi

Re: [PATCH 1/2] mm, cma: fix 32-bit warning

[David Hildenbrand]

On 24.02.25 15:07, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> clang warns about certain always-true conditions, like this one on 32-bit
> builds:
> 
> mm/cma.c:420:13: error: result of comparison of constant 4294967296 with expression of type 'phys_addr_t' (aka 'unsigned int') is always true [-Werror,-Wtautological-constant-out-of-range-compare]
>    420 |                 if (start < SZ_4G)
>        |                     ~~~~~ ^ ~~~~~
> 

Hm, so in this case the whole loop is unnecessary.

In any case

Acked-by: David Hildenbrand <david@redhat.com>


-- 
Cheers,

David / dhildenb

Re: [PATCH 2/2] mm, cma: use literal printf format string

[David Hildenbrand]

On 24.02.25 15:07, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> Using a variable string as a printf format can be a security issue
> that clang warns about when extra warnings are enabled:
> 
> mm/cma.c:239:37: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
>    239 |                 snprintf(cma->name, CMA_MAX_NAME, name);
>        |                                                   ^~~~
> 
> This one does not appear to be a security issue since the string is
> not user controlled, but it's better to avoid the warning.
> Use "%s" as the format instead and just pass the name as the argument.
> 
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>   mm/cma.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/cma.c b/mm/cma.c
> index ef0206c0f16d..09322b8284bd 100644
> --- a/mm/cma.c
> +++ b/mm/cma.c
> @@ -236,7 +236,7 @@ static int __init cma_new_area(const char *name, phys_addr_t size,
>   	cma_area_count++;
>   
>   	if (name)
> -		snprintf(cma->name, CMA_MAX_NAME, name);
> +		snprintf(cma->name, CMA_MAX_NAME, "%s", name);
>   	else
>   		snprintf(cma->name, CMA_MAX_NAME,  "cma%d\n", cma_area_count);
>   

Acked-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb

Re: [PATCH 1/2] mm, cma: fix 32-bit warning

[Frank van der Linden]

On Mon, Feb 24, 2025 at 6:11 AM Arnd Bergmann <arnd@kernel.org> wrote:
>
> From: Arnd Bergmann <arnd@arndb.de>
>
> clang warns about certain always-true conditions, like this one on 32-bit
> builds:
>
> mm/cma.c:420:13: error: result of comparison of constant 4294967296 with expression of type 'phys_addr_t' (aka 'unsigned int') is always true [-Werror,-Wtautological-constant-out-of-range-compare]
>   420 |                 if (start < SZ_4G)
>       |                     ~~~~~ ^ ~~~~~
>
> Replace this one with an equivalent expression that does not cause a warning.
>
> Fixes: 4765deffa0f7 ("mm, cma: support multiple contiguous ranges, if requested")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  mm/cma.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/cma.c b/mm/cma.c
> index 34a4df29af72..ef0206c0f16d 100644
> --- a/mm/cma.c
> +++ b/mm/cma.c
> @@ -417,7 +417,7 @@ int __init cma_declare_contiguous_multi(phys_addr_t total_size,
>          * Create a list of ranges above 4G, largest range first.
>          */
>         for_each_free_mem_range(i, nid, MEMBLOCK_NONE, &start, &end, NULL) {
> -               if (start < SZ_4G)
> +               if (upper_32_bits(start) == 0)
>                         continue;
>
>                 start = ALIGN(start, align);
> --
> 2.39.5
>

Thanks for fixing these nits in my patch series - which, btw, needs
more reviews, if anyone's reading this - please :)

Reviewed-by: Frank van der Linden <fvdl@google.com>

Re: [PATCH 2/2] mm, cma: use literal printf format string

[Frank van der Linden]

On Mon, Feb 24, 2025 at 6:11 AM Arnd Bergmann <arnd@kernel.org> wrote:
>
> From: Arnd Bergmann <arnd@arndb.de>
>
> Using a variable string as a printf format can be a security issue
> that clang warns about when extra warnings are enabled:
>
> mm/cma.c:239:37: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
>   239 |                 snprintf(cma->name, CMA_MAX_NAME, name);
>       |                                                   ^~~~
>
> This one does not appear to be a security issue since the string is
> not user controlled, but it's better to avoid the warning.
> Use "%s" as the format instead and just pass the name as the argument.
>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>  mm/cma.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/cma.c b/mm/cma.c
> index ef0206c0f16d..09322b8284bd 100644
> --- a/mm/cma.c
> +++ b/mm/cma.c
> @@ -236,7 +236,7 @@ static int __init cma_new_area(const char *name, phys_addr_t size,
>         cma_area_count++;
>
>         if (name)
> -               snprintf(cma->name, CMA_MAX_NAME, name);
> +               snprintf(cma->name, CMA_MAX_NAME, "%s", name);
>         else
>                 snprintf(cma->name, CMA_MAX_NAME,  "cma%d\n", cma_area_count);
>
> --
> 2.39.5
>

Yes, thanks - not sure why I didn't use "%s" there.

Reviewed-by: Frank van der Linden <fvdl@google.com>