Skip to content

Commit 188c6ba

Browse files
Dan Carpentervinodkoul
Dan Carpenter
authored and
vinodkoul
committed
dmaengine: nbpfaxi: Fix memory corruption in probe()
The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are more involved. In this case, we're copying data from the irqbuf[] array into the nbpf->chan[] array. If the data in irqbuf[i] is the error IRQ then we skip it, so the iterators are not in sync. I added a check to ensure that we don't go beyond the end of the irqbuf[] array. I'm pretty sure this can't happen, but it seemed harmless to add a check. On the other hand, after the loop has ended there is a check to ensure that the "chan" iterator is where we expect it to be. In the original code we went one element beyond the end of the array so the iterator wasn't in the correct place and it would always return -EINVAL. However, now it will always be in the correct place. I deleted the check since we know the result. Cc: [email protected] Fixes: b45b262 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores") Signed-off-by: Dan Carpenter <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]>
1 parent 8eba218 commit 188c6ba

File tree

1 file changed

+5
-6
lines changed

1 file changed

+5
-6
lines changed

drivers/dma/nbpfaxi.c

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1351,7 +1351,7 @@ static int nbpf_probe(struct platform_device *pdev)
13511351
if (irqs == 1) {
13521352
eirq = irqbuf[0];
13531353

1354-
for (i = 0; i <= num_channels; i++)
1354+
for (i = 0; i < num_channels; i++)
13551355
nbpf->chan[i].irq = irqbuf[0];
13561356
} else {
13571357
eirq = platform_get_irq_byname(pdev, "error");
@@ -1361,24 +1361,23 @@ static int nbpf_probe(struct platform_device *pdev)
13611361
if (irqs == num_channels + 1) {
13621362
struct nbpf_channel *chan;
13631363

1364-
for (i = 0, chan = nbpf->chan; i <= num_channels;
1364+
for (i = 0, chan = nbpf->chan; i < num_channels;
13651365
i++, chan++) {
13661366
/* Skip the error IRQ */
13671367
if (irqbuf[i] == eirq)
13681368
i++;
1369+
if (i >= ARRAY_SIZE(irqbuf))
1370+
return -EINVAL;
13691371
chan->irq = irqbuf[i];
13701372
}
1371-
1372-
if (chan != nbpf->chan + num_channels)
1373-
return -EINVAL;
13741373
} else {
13751374
/* 2 IRQs and more than one channel */
13761375
if (irqbuf[0] == eirq)
13771376
irq = irqbuf[1];
13781377
else
13791378
irq = irqbuf[0];
13801379

1381-
for (i = 0; i <= num_channels; i++)
1380+
for (i = 0; i < num_channels; i++)
13821381
nbpf->chan[i].irq = irq;
13831382
}
13841383
}

0 commit comments

Comments
 (0)