Although very unlikely, the 'clk_num' value may be as big as 2**32 - 1 (uint32_max), so the buffer should have enough space for storing "clk_uart_baud4294967295\0". Also, the numbers in clk_name are expected to be unsigned. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 5f5a7a5578c58852 ("serial: samsung: switch to clkdev based clock lookup") Signed-off-by: Alexey V. Vissarionov <gremlin@xxxxxxxxxxxx> diff --git a/drivers/tty/serial/samsung_tty.c b/drivers/tty/serial/samsung_tty.c index 0fce856434dafd80..2c701dc7c6a37191 100644 --- a/drivers/tty/serial/samsung_tty.c +++ b/drivers/tty/serial/samsung_tty.c @@ -1407,7 +1407,7 @@ static void s3c24xx_serial_pm(struct uart_port *port, unsigned int level, * */ -#define MAX_CLK_NAME_LENGTH 15 +#define MAX_CLK_NAME_LENGTH 24 /* "clk_uart_baud4294967295\0" */ static inline int s3c24xx_serial_getsource(struct uart_port *port) { @@ -1457,7 +1457,7 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport, !(ourport->cfg->clk_sel & (1 << cnt))) continue; - sprintf(clkname, "clk_uart_baud%d", cnt); + sprintf(clkname, "clk_uart_baud%u", cnt); clk = clk_get(ourport->port.dev, clkname); if (IS_ERR(clk)) continue; @@ -1957,7 +1957,7 @@ static int s3c24xx_serial_enable_baudclk(struct s3c24xx_uart_port *ourport) if (!(clk_sel & (1 << clk_num))) continue; - sprintf(clk_name, "clk_uart_baud%d", clk_num); + sprintf(clk_name, "clk_uart_baud%u", clk_num); clk = clk_get(dev, clk_name); if (IS_ERR(clk)) continue; @@ -2522,7 +2522,7 @@ s3c24xx_serial_get_options(struct uart_port *port, int *baud, /* now calculate the baud rate */ clk_sel = s3c24xx_serial_getsource(port); - sprintf(clk_name, "clk_uart_baud%d", clk_sel); + sprintf(clk_name, "clk_uart_baud%u", clk_sel); clk = clk_get(port->dev, clk_name); if (!IS_ERR(clk)) -- Alexey V. Vissarionov gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net
Attachment:
signature.asc
Description: PGP signature