From: Dan Carpenter <error27@gmail.com>
To: okaya@codeaurora.org
Cc: dmaengine@vger.kernel.org,
Masami Ichikawa <masami.ichikawa@miraclelinux.com>,
cip-dev <cip-dev@lists.cip-project.org>
Subject: [bug report] dmaengine: add Qualcomm Technologies HIDMA management driver
Date: Wed, 1 Feb 2023 15:32:42 +0300 [thread overview]
Message-ID: <Y9pb6vRuK6WpsV3P@kili> (raw)
Hello Sinan Kaya,
The patch 7f8f209fd6e0: "dmaengine: add Qualcomm Technologies HIDMA
management driver" from Feb 4, 2016, leads to the following Smatch
static checker warning:
drivers/dma/qcom/hidma_mgmt.c:101 hidma_mgmt_setup()
warn: uncapped user loop index 'i'
drivers/dma/qcom/hidma_mgmt.c
91 }
92
93 if (mgmtdev->max_rd_xactions > HIDMA_MAX_RD_XACTIONS_MASK) {
94 dev_err(&mgmtdev->pdev->dev,
95 "max_rd_xactions cannot be bigger than %ld\n",
96 HIDMA_MAX_RD_XACTIONS_MASK);
97 return -EINVAL;
98 }
99
100 for (i = 0; i < mgmtdev->dma_channels; i++) {
--> 101 if (mgmtdev->priority[i] > 1) {
^^^^^^^^^^^^^^^^^^^^
The sysfs interface lets you set mgmtdev->dma_channels so this is an
array out of bounds access. It's in hidma_mgmt_sys.c
drivers/dma/qcom/hidma_mgmt_sys.c
26 #define IMPLEMENT_GETSET(name) \
27 static int get_##name(struct hidma_mgmt_dev *mdev) \
28 { \
29 return mdev->name; \
30 } \
31 static int set_##name(struct hidma_mgmt_dev *mdev, u64 val) \
32 { \
33 u64 tmp; \
34 int rc; \
35 \
36 tmp = mdev->name; \
37 mdev->name = val; \
38 rc = hidma_mgmt_setup(mdev); \
39 if (rc) \
40 mdev->name = tmp; \
41 return rc; \
42 }
43
44 #define DECLARE_ATTRIBUTE(name, mode) \
45 {#name, mode, get_##name, set_##name}
46
47 IMPLEMENT_GETSET(hw_version_major)
48 IMPLEMENT_GETSET(hw_version_minor)
49 IMPLEMENT_GETSET(max_wr_xactions)
50 IMPLEMENT_GETSET(max_rd_xactions)
51 IMPLEMENT_GETSET(max_write_request)
52 IMPLEMENT_GETSET(max_read_request)
53 IMPLEMENT_GETSET(dma_channels)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
54 IMPLEMENT_GETSET(chreset_timeout_cycles)
regards,
dan carpenter
reply other threads:[~2023-02-01 13:04 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9pb6vRuK6WpsV3P@kili \
--to=error27@gmail.com \
--cc=cip-dev@lists.cip-project.org \
--cc=dmaengine@vger.kernel.org \
--cc=masami.ichikawa@miraclelinux.com \
--cc=okaya@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox