diff mbox series

soc: imx: imx8m-blk-ctrl: off by one in imx8m_blk_ctrl_xlate()

Message ID 20211011123638.GB15188@kili (mailing list archive)
State New, archived
Headers show
Series soc: imx: imx8m-blk-ctrl: off by one in imx8m_blk_ctrl_xlate() | expand

Commit Message

Dan Carpenter Oct. 11, 2021, 12:36 p.m. UTC
The > comparison should be >= to prevent reading one element beyond the
end of the array.  The onecell_data->domains[] array is allocated in
imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements.

Fixes: 5b340e7813d4 ("soc: imx: add i.MX8M blk-ctrl driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/soc/imx/imx8m-blk-ctrl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Lucas Stach Oct. 12, 2021, 8:29 a.m. UTC | #1
Hi Dan,

Am Montag, dem 11.10.2021 um 15:36 +0300 schrieb Dan Carpenter:
> The > comparison should be >= to prevent reading one element beyond the
> end of the array.  The onecell_data->domains[] array is allocated in
> imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements.

Thanks for the patch! I guess this was found via smatch? I should
really make it a habit to use smatch on my submissions...

> Fixes: 5b340e7813d4 ("soc: imx: add i.MX8M blk-ctrl driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Reviewed-by: Lucas Stach <l.stach@pengutronix.de>

> ---
>  drivers/soc/imx/imx8m-blk-ctrl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/soc/imx/imx8m-blk-ctrl.c b/drivers/soc/imx/imx8m-blk-ctrl.c
> index e172d295c441..519b3651d1d9 100644
> --- a/drivers/soc/imx/imx8m-blk-ctrl.c
> +++ b/drivers/soc/imx/imx8m-blk-ctrl.c
> @@ -139,7 +139,7 @@ imx8m_blk_ctrl_xlate(struct of_phandle_args *args, void *data)
>  	unsigned int index = args->args[0];
>  
>  	if (args->args_count != 1 ||
> -	    index > onecell_data->num_domains)
> +	    index >= onecell_data->num_domains)
>  		return ERR_PTR(-EINVAL);
>  
>  	return onecell_data->domains[index];
Dan Carpenter Oct. 12, 2021, 9:33 a.m. UTC | #2
On Tue, Oct 12, 2021 at 10:29:27AM +0200, Lucas Stach wrote:
> Hi Dan,
> 
> Am Montag, dem 11.10.2021 um 15:36 +0300 schrieb Dan Carpenter:
> > The > comparison should be >= to prevent reading one element beyond the
> > end of the array.  The onecell_data->domains[] array is allocated in
> > imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements.
> 
> Thanks for the patch! I guess this was found via smatch? I should
> really make it a habit to use smatch on my submissions...

Yeah, but not a from a published check.  I have a private check for
off by one errors that warns about any > vs >= comparisons that cannot
be proved as correct.

regards,
dan carpenter
Shawn Guo Oct. 15, 2021, 3:10 a.m. UTC | #3
On Mon, Oct 11, 2021 at 03:36:38PM +0300, Dan Carpenter wrote:
> The > comparison should be >= to prevent reading one element beyond the
> end of the array.  The onecell_data->domains[] array is allocated in
> imx8m_blk_ctrl_probe() and it has "onecell_data->num_domains" elements.
> 
> Fixes: 5b340e7813d4 ("soc: imx: add i.MX8M blk-ctrl driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied, thanks!
diff mbox series

Patch

diff --git a/drivers/soc/imx/imx8m-blk-ctrl.c b/drivers/soc/imx/imx8m-blk-ctrl.c
index e172d295c441..519b3651d1d9 100644
--- a/drivers/soc/imx/imx8m-blk-ctrl.c
+++ b/drivers/soc/imx/imx8m-blk-ctrl.c
@@ -139,7 +139,7 @@  imx8m_blk_ctrl_xlate(struct of_phandle_args *args, void *data)
 	unsigned int index = args->args[0];
 
 	if (args->args_count != 1 ||
-	    index > onecell_data->num_domains)
+	    index >= onecell_data->num_domains)
 		return ERR_PTR(-EINVAL);
 
 	return onecell_data->domains[index];