Re: [PATCH v3] mmc: tmio-mmc: fix bad pointer math

Ulf Hansson <ulf.hansson@xxxxxxxxxx> · Thu, 13 Jul 2017 12:01:07 +0200

On 12 July 2017 at 17:40, Chris Brandt <chris.brandt@xxxxxxxxxxx> wrote:
> The existing code gives an incorrect pointer value.
> The buffer pointer 'buf' was of type unsigned short *, and 'count' was a
> number in bytes. A cast of buf should have been used.
>
> However, instead of casting, just change the code to use u32 pointers.
>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Fixes: 8185e51f358a: ("mmc: tmio-mmc: add support for 32bit data port")
> Signed-off-by: Chris Brandt <chris.brandt@xxxxxxxxxxx>
> Reviewed-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>

Thanks, applied for fixes and added a stable tag.

Kind regards
Uffe

> ---
> v3:
>  * Merged lines
>  * Added Reviewed-by
> v2:
>  * Use u32 pointers instead of casting
> ---
>  drivers/mmc/host/tmio_mmc_core.c | 19 +++++++++----------
>  1 file changed, 9 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/mmc/host/tmio_mmc_core.c b/drivers/mmc/host/tmio_mmc_core.c
> index 77e7b56a9099..db779732fd2e 100644
> --- a/drivers/mmc/host/tmio_mmc_core.c
> +++ b/drivers/mmc/host/tmio_mmc_core.c
> @@ -415,30 +415,29 @@ static void tmio_mmc_transfer_data(struct tmio_mmc_host *host,
>          * Transfer the data
>          */
>         if (host->pdata->flags & TMIO_MMC_32BIT_DATA_PORT) {
> -               u8 data[4] = { };
> +               u32 data = 0;
> +               u32 *buf32 = (u32 *)buf;
>
>                 if (is_read)
> -                       sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, (u32 *)buf,
> +                       sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, buf32,
>                                            count >> 2);
>                 else
> -                       sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, (u32 *)buf,
> +                       sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, buf32,
>                                             count >> 2);
>
>                 /* if count was multiple of 4 */
>                 if (!(count & 0x3))
>                         return;
>
> -               buf8 = (u8 *)(buf + (count >> 2));
> +               buf32 += count >> 2;
>                 count %= 4;
>
>                 if (is_read) {
> -                       sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT,
> -                                          (u32 *)data, 1);
> -                       memcpy(buf8, data, count);
> +                       sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, &data, 1);
> +                       memcpy(buf32, &data, count);
>                 } else {
> -                       memcpy(data, buf8, count);
> -                       sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT,
> -                                           (u32 *)data, 1);
> +                       memcpy(&data, buf32, count);
> +                       sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, &data, 1);
>                 }
>
>                 return;
> --
> 2.13.0
>
>