[patch] ti-st: clean up data types (fix harmless memory corruption)

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Gigi Joseph <gigi.joseph@gmail.com>
Cc: Lee Jones <lee.jones@linaro.org>, bvijay <bvijay@ti.com>,
	Eyal Reizer <eyalr@ti.com>,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] ti-st: clean up data types (fix harmless memory corruption)
Date: Thu, 15 Jan 2015 11:42:27 +0000	[thread overview]
Message-ID: <20150115114227.GB17976@mwanda> (raw)

The big issue here is:

	of_property_read_u32(np, "flow_cntrl", (u32 *)&dt_pdata->flow_cntrl);

"->flow_cntrl" is a char so when we write a 32 bit number to it then it
corrupts past the end of the char.  It's probably hard to notice because
the struct has padding so the code works on little endian systems. But
on a big endian system the code would fail and on a 64 bit, big endian
systems then "nshutdown_gpio" and "baud_rate" would be buggy as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/include/linux/ti_wilink_st.h b/include/linux/ti_wilink_st.h
index 9072d9f..c78dcfe 100644
--- a/include/linux/ti_wilink_st.h
+++ b/include/linux/ti_wilink_st.h
@@ -262,7 +262,7 @@ struct kim_data_s {
 	struct completion kim_rcvd, ldisc_installed;
 	char resp_buffer[30];
 	const struct firmware *fw_entry;
-	long nshutdown;
+	unsigned nshutdown;
 	unsigned long rx_state;
 	unsigned long rx_count;
 	struct sk_buff *rx_skb;
@@ -270,8 +270,8 @@ struct kim_data_s {
 	struct chip_version version;
 	unsigned char ldisc_install;
 	unsigned char dev_name[UART_DEV_NAME_LEN + 1];
-	unsigned char flow_cntrl;
-	unsigned long baud_rate;
+	unsigned flow_cntrl;
+	unsigned baud_rate;
 };
 
 /**
@@ -437,10 +437,10 @@ struct gps_event_hdr {
  *
  */
 struct ti_st_plat_data {
-	long nshutdown_gpio;
+	u32 nshutdown_gpio;
 	unsigned char dev_name[UART_DEV_NAME_LEN]; /* uart name */
-	unsigned char flow_cntrl; /* flow control flag */
-	unsigned long baud_rate;
+	u32 flow_cntrl; /* flow control flag */
+	u32 baud_rate;
 	int (*suspend)(struct platform_device *, pm_message_t);
 	int (*resume)(struct platform_device *);
 	int (*chip_enable) (struct kim_data_s *);
diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c
index 7109d28..104f271 100644
--- a/drivers/misc/ti-st/st_kim.c
+++ b/drivers/misc/ti-st/st_kim.c
@@ -635,7 +635,7 @@ static ssize_t show_baud_rate(struct device *dev,
 		struct device_attribute *attr, char *buf)
 {
 	struct kim_data_s *kim_data = dev_get_drvdata(dev);
-	return sprintf(buf, "%ld\n", kim_data->baud_rate);
+	return sprintf(buf, "%d\n", kim_data->baud_rate);
 }
 
 static ssize_t show_flow_cntrl(struct device *dev,
@@ -757,9 +757,9 @@ static struct ti_st_plat_data *get_platform_data(struct device *dev)
 	if (dt_property)
 		memcpy(&dt_pdata->dev_name, dt_property, len);
 	of_property_read_u32(np, "nshutdown_gpio",
-			     (u32 *)&dt_pdata->nshutdown_gpio);
-	of_property_read_u32(np, "flow_cntrl", (u32 *)&dt_pdata->flow_cntrl);
-	of_property_read_u32(np, "baud_rate", (u32 *)&dt_pdata->baud_rate);
+			     &dt_pdata->nshutdown_gpio);
+	of_property_read_u32(np, "flow_cntrl", &dt_pdata->flow_cntrl);
+	of_property_read_u32(np, "baud_rate", &dt_pdata->baud_rate);
 
 	return dt_pdata;
 }
@@ -809,14 +809,14 @@ static int kim_probe(struct platform_device *pdev)
 	kim_gdata->nshutdown = pdata->nshutdown_gpio;
 	err = gpio_request(kim_gdata->nshutdown, "kim");
 	if (unlikely(err)) {
-		pr_err(" gpio %ld request failed ", kim_gdata->nshutdown);
+		pr_err(" gpio %d request failed ", kim_gdata->nshutdown);
 		return err;
 	}
 
 	/* Configure nShutdown GPIO as output=0 */
 	err = gpio_direction_output(kim_gdata->nshutdown, 0);
 	if (unlikely(err)) {
-		pr_err(" unable to configure gpio %ld", kim_gdata->nshutdown);
+		pr_err(" unable to configure gpio %d", kim_gdata->nshutdown);
 		return err;
 	}
 	/* get reference of pdev for request_firmware

                 reply	other threads:[~2015-01-15 11:42 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9072d9f dfblob:c78dcfe dfblob:7109d28 dfblob:104f271 )
 OR (
bs:"[patch] ti-st: clean up data types (fix harmless memory corruption)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150115114227.GB17976@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=bvijay@ti.com \
    --cc=eyalr@ti.com \
    --cc=gigi.joseph@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=lee.jones@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox