[V2,1/3] PCI: rcar: Move the inbound index check
diff mbox series

Message ID 20190809174825.2572-1-marek.vasut@gmail.com
State Superseded
Headers show
Series
  • [V2,1/3] PCI: rcar: Move the inbound index check
Related show

Commit Message

Marek Vasut Aug. 9, 2019, 5:48 p.m. UTC
From: Marek Vasut <marek.vasut+renesas@gmail.com>

Since the $idx variable value is stored across multiple calls to
rcar_pcie_inbound_ranges() function, and the $idx value is used to
index registers which are written, subsequent calls might cause
the $idx value to be high enough to trigger writes into nonexistent
registers.

Fix this by moving the $idx value check to the beginning of the loop.

Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Wolfram Sang <wsa@the-dreams.de>
Cc: linux-renesas-soc@vger.kernel.org
To: linux-pci@vger.kernel.org
---
V2: New patch
---
 drivers/pci/controller/pcie-rcar.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

Comments

Geert Uytterhoeven Aug. 9, 2019, 5:52 p.m. UTC | #1
Hi Marek,

On Fri, Aug 9, 2019 at 7:48 PM <marek.vasut@gmail.com> wrote:
> From: Marek Vasut <marek.vasut+renesas@gmail.com>
>
> Since the $idx variable value is stored across multiple calls to
> rcar_pcie_inbound_ranges() function, and the $idx value is used to
> index registers which are written, subsequent calls might cause
> the $idx value to be high enough to trigger writes into nonexistent
> registers.
>
> Fix this by moving the $idx value check to the beginning of the loop.
>
> Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>

Thanks for your patch!

> --- a/drivers/pci/controller/pcie-rcar.c
> +++ b/drivers/pci/controller/pcie-rcar.c
> @@ -1048,6 +1048,10 @@ static int rcar_pcie_inbound_ranges(struct rcar_pcie *pcie,
>         mask &= ~0xf;
>
>         while (cpu_addr < cpu_end) {
> +               if (idx > MAX_NR_INBOUND_MAPS) {

Shouldn't that check be "idx >= MAX_NR_INBOUND_MAPS - 1" now?

> +                       dev_err(pcie->dev, "Failed to map inbound regions!\n");
> +                       return -EINVAL;
> +               }
>                 /*
>                  * Set up 64-bit inbound regions as the range parser doesn't
>                  * distinguish between 32 and 64-bit types.
> @@ -1067,11 +1071,6 @@ static int rcar_pcie_inbound_ranges(struct rcar_pcie *pcie,
>                 pci_addr += size;
>                 cpu_addr += size;
>                 idx += 2;
> -
> -               if (idx > MAX_NR_INBOUND_MAPS) {
> -                       dev_err(pcie->dev, "Failed to map inbound regions!\n");
> -                       return -EINVAL;
> -               }
>         }
>         *index = idx;

Gr{oetje,eeting}s,

                        Geert

Patch
diff mbox series

diff --git a/drivers/pci/controller/pcie-rcar.c b/drivers/pci/controller/pcie-rcar.c
index f6a669a9af41..0f501acbc3bb 100644
--- a/drivers/pci/controller/pcie-rcar.c
+++ b/drivers/pci/controller/pcie-rcar.c
@@ -1048,6 +1048,10 @@  static int rcar_pcie_inbound_ranges(struct rcar_pcie *pcie,
 	mask &= ~0xf;
 
 	while (cpu_addr < cpu_end) {
+		if (idx > MAX_NR_INBOUND_MAPS) {
+			dev_err(pcie->dev, "Failed to map inbound regions!\n");
+			return -EINVAL;
+		}
 		/*
 		 * Set up 64-bit inbound regions as the range parser doesn't
 		 * distinguish between 32 and 64-bit types.
@@ -1067,11 +1071,6 @@  static int rcar_pcie_inbound_ranges(struct rcar_pcie *pcie,
 		pci_addr += size;
 		cpu_addr += size;
 		idx += 2;
-
-		if (idx > MAX_NR_INBOUND_MAPS) {
-			dev_err(pcie->dev, "Failed to map inbound regions!\n");
-			return -EINVAL;
-		}
 	}
 	*index = idx;