From: Dan Carpenter <dan.carpenter@oracle.com>
To: srinivas.kandagatla@linaro.org
Cc: alsa-devel@alsa-project.org
Subject: [bug report] soundwire: qcom: Check device status before reading devid
Date: Fri, 8 Jul 2022 11:08:14 +0300 [thread overview]
Message-ID: <Ysfl7lzEyRVuQ+Dg@kili> (raw)
Hello Srinivas Kandagatla,
The patch aa1262ca6695: "soundwire: qcom: Check device status before
reading devid" from Jul 6, 2022, leads to the following Smatch static
checker warning:
drivers/soundwire/qcom.c:484 qcom_swrm_enumerate()
error: buffer overflow 'ctrl->status' 11 <= 11
drivers/soundwire/qcom.c
471 static int qcom_swrm_enumerate(struct sdw_bus *bus)
472 {
473 struct qcom_swrm_ctrl *ctrl = to_qcom_sdw(bus);
474 struct sdw_slave *slave, *_s;
475 struct sdw_slave_id id;
476 u32 val1, val2;
477 bool found;
478 u64 addr;
479 int i;
480 char *buf1 = (char *)&val1, *buf2 = (char *)&val2;
481
482 for (i = 1; i <= SDW_MAX_DEVICES; i++) {
^^^^^
This a loop that starts from 1 instead of 0. I looked at the
surrounding context and it seems like it should be a normal loop that
starts at 0 and goes to < SDW_MAX_DEVICES.
(Or possibly the other loops are buggy as well).
483 /* do not continue if the status is Not Present */
--> 484 if (!ctrl->status[i])
So this is off by one and reads one element beyond the end of the loop.
485 continue;
486
487 /*SCP_Devid5 - Devid 4*/
488 ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_1(i), &val1);
489
490 /*SCP_Devid3 - DevId 2 Devid 1 Devid 0*/
491 ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_2(i), &val2);
492
493 if (!val1 && !val2)
494 break;
495
496 addr = buf2[1] | (buf2[0] << 8) | (buf1[3] << 16) |
497 ((u64)buf1[2] << 24) | ((u64)buf1[1] << 32) |
498 ((u64)buf1[0] << 40);
499
500 sdw_extract_slave_id(bus, addr, &id);
501 found = false;
502 /* Now compare with entries */
503 list_for_each_entry_safe(slave, _s, &bus->slaves, node) {
504 if (sdw_compare_devid(slave, id) == 0) {
505 qcom_swrm_set_slave_dev_num(bus, slave, i);
506 found = true;
507 break;
508 }
509 }
510
511 if (!found) {
512 qcom_swrm_set_slave_dev_num(bus, NULL, i);
513 sdw_slave_add(bus, &id, NULL);
514 }
515 }
516
517 complete(&ctrl->enumeration);
518 return 0;
519 }
regards,
dan carpenter
next reply other threads:[~2022-07-08 8:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-08 8:08 Dan Carpenter [this message]
2022-07-08 8:31 ` [bug report] soundwire: qcom: Check device status before reading devid Srinivas Kandagatla
2022-07-08 8:45 ` Dan Carpenter
2022-07-08 9:02 ` Srinivas Kandagatla
2022-07-08 14:04 ` Pierre-Louis Bossart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ysfl7lzEyRVuQ+Dg@kili \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=srinivas.kandagatla@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox