| From 596eb933fe4857b9abfdb1156e3d203a7b4f611f Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 23 Feb 2021 19:38:21 +0000 |
| Subject: memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] |
| |
| From: Colin Ian King <colin.king@canonical.com> |
| |
| [ Upstream commit e004c3e67b6459c99285b18366a71af467d869f5 ] |
| |
| Currently the array gpmc_cs is indexed by cs before it cs is range checked |
| and the pointer read from this out-of-index read is dereferenced. Fix this |
| by performing the range check on cs before the read and the following |
| pointer dereference. |
| |
| Addresses-Coverity: ("Negative array index read") |
| Fixes: 9ed7a776eb50 ("ARM: OMAP2+: Fix support for multiple devices on a GPMC chip select") |
| Signed-off-by: Colin Ian King <colin.king@canonical.com> |
| Reviewed-by: Tony Lindgren <tony@atomide.com> |
| Link: https://lore.kernel.org/r/20210223193821.17232-1-colin.king@canonical.com |
| Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/memory/omap-gpmc.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c |
| index cfa730cfd145..f80c2ea39ca4 100644 |
| --- a/drivers/memory/omap-gpmc.c |
| +++ b/drivers/memory/omap-gpmc.c |
| @@ -1009,8 +1009,8 @@ EXPORT_SYMBOL(gpmc_cs_request); |
| |
| void gpmc_cs_free(int cs) |
| { |
| - struct gpmc_cs_data *gpmc = &gpmc_cs[cs]; |
| - struct resource *res = &gpmc->mem; |
| + struct gpmc_cs_data *gpmc; |
| + struct resource *res; |
| |
| spin_lock(&gpmc_mem_lock); |
| if (cs >= gpmc_cs_num || cs < 0 || !gpmc_cs_reserved(cs)) { |
| @@ -1018,6 +1018,9 @@ void gpmc_cs_free(int cs) |
| spin_unlock(&gpmc_mem_lock); |
| return; |
| } |
| + gpmc = &gpmc_cs[cs]; |
| + res = &gpmc->mem; |
| + |
| gpmc_cs_disable_mem(cs); |
| if (res->flags) |
| release_resource(res); |
| -- |
| 2.30.2 |
| |
