From: Marek Vasut <[email protected]> Since the $idx variable value is stored across multiple calls to rcar_pcie_inbound_ranges() function, and the $idx value is used to index registers which are written, subsequent calls might cause the $idx value to be high enough to trigger writes into nonexistent registers.
Fix this by moving the $idx value check to the beginning of the loop. Signed-off-by: Marek Vasut <[email protected]> Cc: Geert Uytterhoeven <[email protected]> Cc: Lorenzo Pieralisi <[email protected]> Cc: Wolfram Sang <[email protected]> Cc: [email protected] To: [email protected] --- V2: New patch --- drivers/pci/controller/pcie-rcar.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/pci/controller/pcie-rcar.c b/drivers/pci/controller/pcie-rcar.c index f6a669a9af41..0f501acbc3bb 100644 --- a/drivers/pci/controller/pcie-rcar.c +++ b/drivers/pci/controller/pcie-rcar.c @@ -1048,6 +1048,10 @@ static int rcar_pcie_inbound_ranges(struct rcar_pcie *pcie, mask &= ~0xf; while (cpu_addr < cpu_end) { + if (idx > MAX_NR_INBOUND_MAPS) { + dev_err(pcie->dev, "Failed to map inbound regions!\n"); + return -EINVAL; + } /* * Set up 64-bit inbound regions as the range parser doesn't * distinguish between 32 and 64-bit types. @@ -1067,11 +1071,6 @@ static int rcar_pcie_inbound_ranges(struct rcar_pcie *pcie, pci_addr += size; cpu_addr += size; idx += 2; - - if (idx > MAX_NR_INBOUND_MAPS) { - dev_err(pcie->dev, "Failed to map inbound regions!\n"); - return -EINVAL; - } } *index = idx; -- 2.20.1
