Re: [PATCH] mailbox: pcc: fix channel calculation in get_pcc_channel()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

(adding Rafael and linux-acpi)

On Fri, Jan 15, 2016 at 6:22 PM, Ashwin Chaugule <ashwin.chaugule@xxxxxxxxxx> wrote:
> + Jassi (Linaro addr)
>
> On 15 January 2016 at 13:20, Ashwin Chaugule <ashwin.chaugule@xxxxxxxxxx> wrote:
>> Jassi,
>>
>> On 10 December 2015 at 13:19, Ashwin Chaugule
>> <ashwin.chaugule@xxxxxxxxxx> wrote:
>>> On 10 December 2015 at 12:28, Alexey Klimov <alexey.klimov@xxxxxxx> wrote:
>>>> This patch fixes the calculation of pcc_chan for non-zero id.
>>>> After the compiler ignores the (unsigned long) cast the
>>>> pcc_mbox_channels pointer is type-cast and then the type-cast
>>>> offset is added which results in address outside of the range
>>>> leading to the kernel crashing.
>>>>
>>>> We might add braces and make it:
>>>>
>>>> pcc_chan = (struct mbox_chan *)
>>>>                 ((unsigned long) pcc_mbox_channels +
>>>>                 (id * sizeof(*pcc_chan)));
>>>>
>>>> but let's go with array approach here and use id as index.
>>>>
>>>> Tested on Juno board.
>>>>
>>>> Acked-by: Sudeep Holla <sudeep.holla@xxxxxxx>
>>>> Signed-off-by: Alexey Klimov <alexey.klimov@xxxxxxx>
>>>> ---
>>>>  drivers/mailbox/pcc.c | 8 +-------
>>>>  1 file changed, 1 insertion(+), 7 deletions(-)
>>>>
>>>> diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
>>>> index 45d85ae..8f779a1 100644
>>>> --- a/drivers/mailbox/pcc.c
>>>> +++ b/drivers/mailbox/pcc.c
>>>> @@ -81,16 +81,10 @@ static struct mbox_controller pcc_mbox_ctrl = {};
>>>>   */
>>>>  static struct mbox_chan *get_pcc_channel(int id)
>>>>  {
>>>> -       struct mbox_chan *pcc_chan;
>>>> -
>>>>         if (id < 0 || id > pcc_mbox_ctrl.num_chans)
>>>>                 return ERR_PTR(-ENOENT);
>>>>
>>>> -       pcc_chan = (struct mbox_chan *)
>>>> -               (unsigned long) pcc_mbox_channels +
>>>> -               (id * sizeof(*pcc_chan));
>>>> -
>>>> -       return pcc_chan;
>>>> +       return &pcc_mbox_channels[id];
>>>>  }
>>>>
>>>
>>>
>>> Strange that we didn't catch this even with a non-zero id. But the
>>> change makes sense so..
>>>
>>> Acked-by: Ashwin Chaugule <ashwin.chaugule@xxxxxxxxxx>
>>
>> Can you please include this patch in your pull request to Linus?

Hi Rafael,

any chance you can take this fix via your tree?
I can resend patch if you want.
Looks like Jassi doesn't have time or doesn't care.

Best regards,
Alexey
--
To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux IBM ACPI]     [Linux Power Management]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux