| Message ID | 20211011123638.GB15188@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | soc: imx: imx8m-blk-ctrl: off by one in imx8m_blk_ctrl_xlate() | expand |
Hi Dan, Am Montag, dem 11.10.2021 um 15:36 +0300 schrieb Dan Carpenter: > The > comparison should be >= to prevent reading one element beyond the > end of the array. The onecell_data->domains[] array is allocated in > imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements. Thanks for the patch! I guess this was found via smatch? I should really make it a habit to use smatch on my submissions... > Fixes: 5b340e7813d4 ("soc: imx: add i.MX8M blk-ctrl driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Lucas Stach <l.stach@pengutronix.de> > --- > drivers/soc/imx/imx8m-blk-ctrl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/soc/imx/imx8m-blk-ctrl.c b/drivers/soc/imx/imx8m-blk-ctrl.c > index e172d295c441..519b3651d1d9 100644 > --- a/drivers/soc/imx/imx8m-blk-ctrl.c > +++ b/drivers/soc/imx/imx8m-blk-ctrl.c > @@ -139,7 +139,7 @@ imx8m_blk_ctrl_xlate(struct of_phandle_args *args, void *data) > unsigned int index = args->args[0]; > > if (args->args_count != 1 || > - index > onecell_data->num_domains) > + index >= onecell_data->num_domains) > return ERR_PTR(-EINVAL); > > return onecell_data->domains[index];
On Tue, Oct 12, 2021 at 10:29:27AM +0200, Lucas Stach wrote: > Hi Dan, > > Am Montag, dem 11.10.2021 um 15:36 +0300 schrieb Dan Carpenter: > > The > comparison should be >= to prevent reading one element beyond the > > end of the array. The onecell_data->domains[] array is allocated in > > imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements. > > Thanks for the patch! I guess this was found via smatch? I should > really make it a habit to use smatch on my submissions... Yeah, but not a from a published check. I have a private check for off by one errors that warns about any > vs >= comparisons that cannot be proved as correct. regards, dan carpenter
On Mon, Oct 11, 2021 at 03:36:38PM +0300, Dan Carpenter wrote: > The > comparison should be >= to prevent reading one element beyond the > end of the array. The onecell_data->domains[] array is allocated in > imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements. > > Fixes: 5b340e7813d4 ("soc: imx: add i.MX8M blk-ctrl driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Applied, thanks!
diff --git a/drivers/soc/imx/imx8m-blk-ctrl.c b/drivers/soc/imx/imx8m-blk-ctrl.c index e172d295c441..519b3651d1d9 100644 --- a/drivers/soc/imx/imx8m-blk-ctrl.c +++ b/drivers/soc/imx/imx8m-blk-ctrl.c @@ -139,7 +139,7 @@ imx8m_blk_ctrl_xlate(struct of_phandle_args *args, void *data) unsigned int index = args->args[0]; if (args->args_count != 1 || - index > onecell_data->num_domains) + index >= onecell_data->num_domains) return ERR_PTR(-EINVAL); return onecell_data->domains[index];
The > comparison should be >= to prevent reading one element beyond the end of the array. The onecell_data->domains[] array is allocated in imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements. Fixes: 5b340e7813d4 ("soc: imx: add i.MX8M blk-ctrl driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/soc/imx/imx8m-blk-ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)