From: Timur Tabi <timur@freescale.com>
To: Andrew Fleming-AFLEMING <AFLEMING@freescale.com>,
David Miller <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Broken ioremap usage in fsl_pq_mdio.c?
Date: Fri, 6 Jan 2012 15:11:22 -0600 [thread overview]
Message-ID: <4F07637A.901@freescale.com> (raw)
I see some odd code in fsl_pq_mdio.c, so I'm hoping someone can clear this up for me. In fsl_pq_mdio_probe(), I see this code:
/* Set the PHY base address */
addr = of_translate_address(np, addrp);
if (addr == OF_BAD_ADDR) {
err = -EINVAL;
goto err_free_bus;
}
map = ioremap(addr, size);
if (!map) {
err = -ENOMEM;
goto err_free_bus;
}
priv->map = map;
if (of_device_is_compatible(np, "fsl,gianfar-mdio") ||
of_device_is_compatible(np, "fsl,gianfar-tbi") ||
of_device_is_compatible(np, "fsl,ucc-mdio") ||
of_device_is_compatible(np, "ucc_geth_phy"))
map -= offsetof(struct fsl_pq_mdio, miimcfg);
regs = map;
priv->regs = regs;
I don't see how the "map -= offsetof(struct fsl_pq_mdio, miimcfg)" is valid. 'map' initially points to the beginning of an ioremap'd buffer. Subtracting from it will cause it to point to invalid memory area.
I presume this works because ioremap() maps whole pages, and "map - offsetof(struct fsl_pq_mdio, miimcfg)" is still inside that page. However, this is not documented as an assumption, so I don't know if this is really what's intended. Regardless, it seems very fragile. At the very least, there should be another ioremap for priv->regs, but that's still a hack.
--
Timur Tabi
Linux kernel developer at Freescale
reply other threads:[~2012-01-06 21:11 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F07637A.901@freescale.com \
--to=timur@freescale.com \
--cc=AFLEMING@freescale.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.