From: gabriele paoloni <gabriele.paoloni@xxxxxxxxxx>
This patch adds sanity checks on "where" input parameter in
dw_pcie_cfg_read and dw_pcie_cfg_write. These checks make sure
that offset passed in by the caller is not in conflict with
the size of the PCI header field that is being read/written
Signed-off-by: Gabriele Paoloni <gabriele.paoloni@xxxxxxxxxx>
---
drivers/pci/host/pcie-designware.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/pci/host/pcie-designware.c b/drivers/pci/host/pcie-designware.c
index cb23e31..6812f69 100644
--- a/drivers/pci/host/pcie-designware.c
+++ b/drivers/pci/host/pcie-designware.c
@@ -88,9 +88,14 @@ int dw_pcie_cfg_read(void __iomem *addr, int where, int size, u32 *val)
if (size == 1)
*val = (*val >> (8 * where)) & 0xff;
- else if (size == 2)
+ else if (size == 2) {
+ if (where & 1)
+ return PCIBIOS_BAD_REGISTER_NUMBER;
*val = (*val >> (8 * where)) & 0xffff;
- else if (size != 4)
+ } else if (size == 4) {
+ if (where & 3)
+ return PCIBIOS_BAD_REGISTER_NUMBER;
+ } else
return PCIBIOS_BAD_REGISTER_NUMBER;
return PCIBIOS_SUCCESSFUL;
@@ -100,11 +105,15 @@ int dw_pcie_cfg_write(void __iomem *addr, int where, int size, u32 val)
{
addr += where;
- if (size == 4)
+ if (size == 4) {
+ if ((uintptr_t)addr & 3)
+ return PCIBIOS_BAD_REGISTER_NUMBER;
writel(val, addr);
- else if (size == 2)
+ } else if (size == 2) {
+ if ((uintptr_t)addr & 1)
+ return PCIBIOS_BAD_REGISTER_NUMBER;
writew(val, addr);
- else if (size == 1)
+ } else if (size == 1)
writeb(val, addr);
else
return PCIBIOS_BAD_REGISTER_NUMBER;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
