Coverity: imx_mu_scu_rx(): Memory - corruptions

Coverity: imx_mu_scu_rx(): Memory - corruptions

[coverity-bot]

Hello!

This is an experimental automated report about issues detected by Coverity
from a scan of next-20200413 as part of the linux-next weekly scan project:
https://scan.coverity.com/projects/linux-next-weekly-scan

You're getting this email because you were associated with the identified
lines of code (noted below) that were touched by commits:

  Thu Mar 19 15:49:52 2020 +0800
    0a67003b1985 ("mailbox: imx: add SCU MU support")

Coverity reported the following:

*** CID 1461658:  Memory - corruptions  (OVERRUN)
/drivers/mailbox/imx-mailbox.c: 214 in imx_mu_scu_rx()
208     		ret = readl_poll_timeout(priv->base + priv->dcfg->xSR, xsr,
209     					 xsr & IMX_MU_xSR_RFn(i % 4), 0, 100);
210     		if (ret) {
211     			dev_err(priv->dev, "timeout read idx %d\n", i);
212     			return ret;
213     		}
vvv     CID 1461658:  Memory - corruptions  (OVERRUN)
vvv     Overrunning array of 8 4-byte elements at element index 31 (byte offset 127) by dereferencing pointer "data++".
214     		*data++ = imx_mu_read(priv, priv->dcfg->xRR[i % 4]);
215     	}
216
217     	imx_mu_xcr_rmw(priv, IMX_MU_xCR_RIEn(0), 0);
218     	mbox_chan_received_data(cp->chan, (void *)&msg);
219

If this is a false positive, please let us know so we can mark it as
such, or teach the Coverity rules to be smarter. If not, please make
sure fixes get into linux-next. :) For patches fixing this, please
include these lines (but double-check the "Fixes" first):

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1461658 ("Memory - corruptions")
Fixes: 0a67003b1985 ("mailbox: imx: add SCU MU support")

Thanks for your attention!

-- 
Coverity-bot

RE: Coverity: imx_mu_scu_rx(): Memory - corruptions

[Peng Fan]

> Subject: Coverity: imx_mu_scu_rx(): Memory - corruptions
> 
> Hello!
> 
> This is an experimental automated report about issues detected by Coverity
> from a scan of next-20200413 as part of the linux-next weekly scan project:
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscan.c
> overity.com%2Fprojects%2Flinux-next-weekly-scan&data=02%7C01%7C
> peng.fan%40nxp.com%7C2fc3fda23e3b48113d5308d7dfc6b2a4%7C686ea1d
> 3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637223916798332770&sd
> ata=Nve1Fh6M3qPosrnqIYyipoE8Ytp3iu55FB0uymJS6uU%3D&reserved=
> 0
> 
> You're getting this email because you were associated with the identified lines
> of code (noted below) that were touched by commits:
> 
>   Thu Mar 19 15:49:52 2020 +0800
>     0a67003b1985 ("mailbox: imx: add SCU MU support")
> 
> Coverity reported the following:
> 
> *** CID 1461658:  Memory - corruptions  (OVERRUN)
> /drivers/mailbox/imx-mailbox.c: 214 in imx_mu_scu_rx()
> 208     		ret = readl_poll_timeout(priv->base + priv->dcfg->xSR, xsr,
> 209     					 xsr & IMX_MU_xSR_RFn(i % 4), 0, 100);
> 210     		if (ret) {
> 211     			dev_err(priv->dev, "timeout read idx %d\n", i);
> 212     			return ret;
> 213     		}
> vvv     CID 1461658:  Memory - corruptions  (OVERRUN)
> vvv     Overrunning array of 8 4-byte elements at element index 31 (byte
> offset 127) by dereferencing pointer "data++".
> 214     		*data++ = imx_mu_read(priv, priv->dcfg->xRR[i % 4]);

There is no issue in the loop, it is just the check should not use sizeof,
it should use sizeof() / 4.

Thanks for the report.

Thanks,
Peng.


> 215     	}
> 216
> 217     	imx_mu_xcr_rmw(priv, IMX_MU_xCR_RIEn(0), 0);
> 218     	mbox_chan_received_data(cp->chan, (void *)&msg);
> 219
> 
> If this is a false positive, please let us know so we can mark it as such, or
> teach the Coverity rules to be smarter. If not, please make sure fixes get into
> linux-next. :) For patches fixing this, please include these lines (but
> double-check the "Fixes" first):
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1461658 ("Memory - corruptions")
> Fixes: 0a67003b1985 ("mailbox: imx: add SCU MU support")
> 
> Thanks for your attention!
> 
> --
> Coverity-bot