The upper bound check on the `mode` parameter of `i8254_set_mode()` and
`i8254_mm_set_mode()` is incorrect. The `mode` parameter value consists
of a mode number in the range 0 to 5 in bits 3..1 {represented by the
constants `I8254_MODE0` (0 << 1) through to `I8254_MODE5` (2 << 1)} ORed
with a BCD/binary flag in bit 0 {represented by the constants
`I8254_BINARY` (0) and `I8254_BCD` (1)}. The maximum allowed value
ought to be `I8254_MODE5 | I8254_BCD` ((5 << 1) | 1), but is currently
`I8254_MODE5 | I8254_BINARY` ((5 << 1) | 0). Fix it.
None of the comedi drivers use `I8254_BCD` but some of the low-level
drivers allow user-space to configure the counter mode, so all legal
values ought to be allowed. However, it's pretty unlikely anyone would
want to set the counters to count in BCD (binary coded decimal) so the
bug is not that significant.
Reported-by: Hartley Sweeten <HartleyS@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
---
drivers/staging/comedi/drivers/8253.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/comedi/drivers/8253.h b/drivers/staging/comedi/drivers/8253.h
index e3d737c..a66563a 100644
--- a/drivers/staging/comedi/drivers/8253.h
+++ b/drivers/staging/comedi/drivers/8253.h
@@ -386,7 +386,7 @@ static inline int i8254_set_mode(unsigned long base_address,
if (counter_number > 2)
return -1;
- if (mode > (I8254_MODE5 | I8254_BINARY))
+ if (mode > (I8254_MODE5 | I8254_BCD))
return -1;
byte = counter_number << 6;
@@ -406,7 +406,7 @@ static inline int i8254_mm_set_mode(void __iomem *base_address,
if (counter_number > 2)
return -1;
- if (mode > (I8254_MODE5 | I8254_BINARY))
+ if (mode > (I8254_MODE5 | I8254_BCD))
return -1;
byte = counter_number << 6;
--
1.9.2
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
