[PATCH] qe_ic: fix a buffer overflow error and add check elsewhere

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere
@ 2016-01-21  1:06 Zhao Qiang
  2016-01-22  9:15 ` Leo Li
  2016-01-26 17:31 ` Thomas Gleixner
  0 siblings, 2 replies; 4+ messages in thread
From: Zhao Qiang @ 2016-01-21  1:06 UTC (permalink / raw)
  To: linuxppc-dev, linux-kernel; +Cc: tglx, leoyang.li, oss, xiaobo.xie, Zhao Qiang

127 is the theoretical up boundary of QEIC number,
in fact there only be 44 qe_ic_info now.
add check to overflow for qe_ic_info

Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
---
 drivers/soc/fsl/qe/qe_ic.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/soc/fsl/qe/qe_ic.c b/drivers/soc/fsl/qe/qe_ic.c
index 5419527..90c00b7 100644
--- a/drivers/soc/fsl/qe/qe_ic.c
+++ b/drivers/soc/fsl/qe/qe_ic.c
@@ -261,6 +261,11 @@ static int qe_ic_host_map(struct irq_domain *h, unsigned int virq,
 	struct qe_ic *qe_ic = h->host_data;
 	struct irq_chip *chip;
 
+	if (hw >= ARRAY_SIZE(qe_ic_info)) {
+		pr_err("%s: Invalid hw irq number for QEIC\n", __func__);
+		return -EINVAL;
+	}
+
 	if (qe_ic_info[hw].mask == 0) {
 		printk(KERN_ERR "Can't map reserved IRQ\n");
 		return -EINVAL;
@@ -409,7 +414,8 @@ int qe_ic_set_priority(unsigned int virq, unsigned int priority)
 
 	if (priority > 8 || priority == 0)
 		return -EINVAL;
-	if (src > 127)
+	if (WARN_ONCE(src >= ARRAY_SIZE(qe_ic_info),
+		      "%s: Invalid hw irq number for QEIC\n", __func__))
 		return -EINVAL;
 	if (qe_ic_info[src].pri_reg == 0)
 		return -EINVAL;
@@ -438,6 +444,9 @@ int qe_ic_set_high_priority(unsigned int virq, unsigned int priority, int high)
 
 	if (priority > 2 || priority == 0)
 		return -EINVAL;
+	if (WARN_ONCE(src >= ARRAY_SIZE(qe_ic_info),
+		      "%s: Invalid hw irq number for QEIC\n", __func__))
+		return -EINVAL;
 
 	switch (qe_ic_info[src].pri_reg) {
 	case QEIC_CIPZCC:
-- 
2.1.0.27.g96db324

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere
  2016-01-21  1:06 [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere Zhao Qiang
@ 2016-01-22  9:15 ` Leo Li
  2016-01-26 17:31 ` Thomas Gleixner
  1 sibling, 0 replies; 4+ messages in thread
From: Leo Li @ 2016-01-22  9:15 UTC (permalink / raw)
  To: Zhao Qiang; +Cc: linuxppc-dev, lkml, Thomas Gleixner, Li Yang, oss, xiaobo.xie

On Thu, Jan 21, 2016 at 9:06 AM, Zhao Qiang <qiang.zhao@nxp.com> wrote:
> 127 is the theoretical up boundary of QEIC number,
> in fact there only be 44 qe_ic_info now.
> add check to overflow for qe_ic_info
>
> Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>

Acked-by: Li Yang <leoyang.li@nxp.com>

Regards,
Leo

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere
  2016-01-21  1:06 [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere Zhao Qiang
  2016-01-22  9:15 ` Leo Li
@ 2016-01-26 17:31 ` Thomas Gleixner
  2016-01-26 18:08   ` Scott Wood
  1 sibling, 1 reply; 4+ messages in thread
From: Thomas Gleixner @ 2016-01-26 17:31 UTC (permalink / raw)
  To: Zhao Qiang; +Cc: linuxppc-dev, linux-kernel, leoyang.li, oss, xiaobo.xie

On Thu, 21 Jan 2016, Zhao Qiang wrote:

> 127 is the theoretical up boundary of QEIC number,
> in fact there only be 44 qe_ic_info now.
> add check to overflow for qe_ic_info

How do you trigger that overflow? The above does not explain WHY we need these
checks.

> diff --git a/drivers/soc/fsl/qe/qe_ic.c b/drivers/soc/fsl/qe/qe_ic.c
> index 5419527..90c00b7 100644
> --- a/drivers/soc/fsl/qe/qe_ic.c
> +++ b/drivers/soc/fsl/qe/qe_ic.c

Sigh. Another dump ground for SOC stuff? irq chip drivers belong into
drivers/irqchip.

Thanks,

	tglx

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere
  2016-01-26 17:31 ` Thomas Gleixner
@ 2016-01-26 18:08   ` Scott Wood
  0 siblings, 0 replies; 4+ messages in thread
From: Scott Wood @ 2016-01-26 18:08 UTC (permalink / raw)
  To: Thomas Gleixner, Zhao Qiang
  Cc: linuxppc-dev, linux-kernel, leoyang.li, xiaobo.xie

On Tue, 2016-01-26 at 18:31 +0100, Thomas Gleixner wrote:
> On Thu, 21 Jan 2016, Zhao Qiang wrote:
> 
> > 127 is the theoretical up boundary of QEIC number,
> > in fact there only be 44 qe_ic_info now.
> > add check to overflow for qe_ic_info
> 
> How do you trigger that overflow? The above does not explain WHY we need
> these
> checks.

The check in qe_ic_host_map can be triggered by bad data in a device tree.

The set_priority functions do not appear to be used at all.

> 
> > diff --git a/drivers/soc/fsl/qe/qe_ic.c b/drivers/soc/fsl/qe/qe_ic.c
> > index 5419527..90c00b7 100644
> > --- a/drivers/soc/fsl/qe/qe_ic.c
> > +++ b/drivers/soc/fsl/qe/qe_ic.c
> 
> Sigh. Another dump ground for SOC stuff?

Another?  Where are the others, besides arch?

>  irq chip drivers belong into drivers/irqchip.

Yes.  This stuff was recently moved out of arch/powerpc to work toward being
able to use it on ARM.  I'm expecting followup patches to move things like
this that belong elsewhere.

-Scott

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-01-26 18:08 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-21  1:06 [PATCH] qe_ic: fix a buffer overflow error and add check elsewhere Zhao Qiang
2016-01-22  9:15 ` Leo Li
2016-01-26 17:31 ` Thomas Gleixner
2016-01-26 18:08   ` Scott Wood

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).