On Wed, Feb 24, 2021 at 10:55:52AM +0300, Dan Carpenter wrote:
> On Tue, Feb 23, 2021 at 07:38:21PM +0000, Colin King wrote:
> > From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> >
> > Currently the array gpmc_cs is indexed by cs before it cs is range checked
> > and the pointer read from this out-of-index read is dereferenced. Fix this
> > by performing the range check on cs before the read and the following
> > pointer dereference.
> >
> > Addresses-Coverity: ("Negative array index read")
> > Fixes: 186401937927 ("memory: gpmc: Move omap gpmc code to live under drivers")
> > Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> > ---
> > drivers/memory/omap-gpmc.c | 7 +++++--
> > 1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
> > index cfa730cfd145..f80c2ea39ca4 100644
> > --- a/drivers/memory/omap-gpmc.c
> > +++ b/drivers/memory/omap-gpmc.c
> > @@ -1009,8 +1009,8 @@ EXPORT_SYMBOL(gpmc_cs_request);
> >
> > void gpmc_cs_free(int cs)
> > {
> > - struct gpmc_cs_data *gpmc = &gpmc_cs[cs];
> > - struct resource *res = &gpmc->mem;
>
> There is no actual dereferencing going on here, it just taking the
> addresses. But the patch is also harmless and improves readability.
Hm, in the second line indeed the compiler will just calculate the
offset of "mem" field against the "gpmc_cs+cs" and return it's probable
address.
To me still the code is a little bit non-obvious or obfuscated - first
you play with the array[index] and then you check the validity of index.
Best regards,
Krzysztof
