re: staging: drm/imx: add i.MX IPUv3 base driver

Fri, 08 Nov 2013 01:48:51 -0800 

Hello Sascha Hauer,

The patch aecfbdb1803b: "staging: drm/imx: add i.MX IPUv3 base 
driver" from Sep 21, 2012, leads to the following
static checker warning: 
"drivers/staging/imx-drm/ipu-v3/ipu-common.c:110 
ipu_ch_param_write_field()
         warn: buffer overflow 'base->word[word]->data' 5 <= 5"

drivers/staging/imx-drm/ipu-v3/ipu-common.c
    92  void ipu_ch_param_write_field(struct ipu_ch_param __iomem *base, u32 
wbs, u32 v)
    93  {
    94          u32 bit = (wbs >> 8) % 160;
    95          u32 size = wbs & 0xff;
    96          u32 word = (wbs >> 8) / 160;
    97          u32 i = bit / 32;
                ^^^^^^^^^^^^^^^^^
i is between 0 and 4.

    98          u32 ofs = bit % 32;
    99          u32 mask = (1 << size) - 1;
   100          u32 val;
   101  
   102          pr_debug("%s %d %d %d\n", __func__, word, bit , size);
   103  
   104          val = readl(&base->word[word].data[i]);
   105          val &= ~(mask << ofs);
   106          val |= v << ofs;
   107          writel(val, &base->word[word].data[i]);
   108  
   109          if ((bit + size - 1) / 32 > i) {
   110                  val = readl(&base->word[word].data[i + 1]);
                                                           ^^^^^
The "+ 1" could put use one step beyond the end of the array.

   111                  val &= ~(mask >> (ofs ? (32 - ofs) : 0));
   112                  val |= v >> (ofs ? (32 - ofs) : 0);
   113                  writel(val, &base->word[word].data[i + 1]);
   114          }
   115  }

See also:
drivers/staging/imx-drm/ipu-v3/ipu-common.c:134
        ipu_ch_param_read_field()
        warn: buffer overflow 'base->word[word]->data' 5 <= 5

regards,
dan carpenter

_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to