Mason <slash.tmp@xxxxxxx> writes:
> Måns Rullgård wrote:
>
>> The bad index will hit some zero-padding following the array and end
>> up trying to write UART_RXD which is read-only.
>
> I may be about to learn something. Please bear with me.
>
> Just to be clear, we are discussing this code:
>
> static const u8 au_io_out_map[] = {
> [0] = 1, [1] = 2, [2] = 4, [3] = 5, [4] = 6,
> };
>
> static void au_serial_out(struct uart_port *p, int offset, int value)
> {
> offset = au_io_out_map[offset] << p->regshift;
> __raw_writel(value, p->membase + offset);
> }
>
> when au_serial_out is invoked with offset = 7
>
> You're saying that au_io_out_map[7] will likely be 0,
It is in my kernel. Accessing it is against the rules of the C
standard, but in practice nothing checks the declared size of the array
at runtime.
> and __raw_writel(value, p->membase + 0); will try to write to a
> read-only location.
>
> How can p->membase + 0 be RO, while p->membase + 4 is RW?
> What architecture allows such a small granularity for
> memory access protection? How does it work?
Memory protection isn't involved here. The UART register at offset zero
simply doesn't respond to writes (check your datasheet). The CPU will
happily issue the bus transaction, but nothing happens with it.
--
Måns Rullgård
mans@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
