redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity

MLK-11894 imx: sema4: fix the out of bounds write 

Fix the out of bounds write, and the dereference before
null check.

Signed-off-by: Richard Zhu <Richard.Zhu@freescale.com>
(cherry picked from commit 775ff0727166535e9b1ba1f70167e6a33fee5f13)
pull/10/head
Richard Zhu 2015-11-26 09:36:48 +08:00 committed by Jason Liu
parent ec34ff4dba
commit e4e58f4b61
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/char/imx_amp/imx_sema4.c
View File

@ -44,7 +44,7 @@ imx_sema4_mutex_create(u32 dev_num, u32 mutex_num)
{ {
struct imx_sema4_mutex *mutex_ptr = NULL; struct imx_sema4_mutex *mutex_ptr = NULL;
if ((mutex_num > SEMA4_NUM_GATES) || dev_num >= SEMA4_NUM_DEVICES) if (mutex_num >= SEMA4_NUM_GATES || dev_num >= SEMA4_NUM_DEVICES)
goto out; goto out;
if (imx6_sema4->cpine_val & (1 < mutex_num)) { if (imx6_sema4->cpine_val & (1 < mutex_num)) {
@ -121,11 +121,12 @@ EXPORT_SYMBOL(imx_sema4_mutex_destroy);
*/ */
int _imx_sema4_mutex_lock(struct imx_sema4_mutex *mutex_ptr) int _imx_sema4_mutex_lock(struct imx_sema4_mutex *mutex_ptr)
{ {
int ret = 0, i = mutex_ptr->gate_num; int ret = 0, i = 0;
if ((mutex_ptr == NULL) || (mutex_ptr->valid != CORE_MUTEX_VALID)) if ((mutex_ptr == NULL) || (mutex_ptr->valid != CORE_MUTEX_VALID))
return -EINVAL; return -EINVAL;
i = mutex_ptr->gate_num;
mutex_ptr->gate_val = readb(imx6_sema4->ioaddr + i); mutex_ptr->gate_val = readb(imx6_sema4->ioaddr + i);
mutex_ptr->gate_val &= SEMA4_GATE_MASK; mutex_ptr->gate_val &= SEMA4_GATE_MASK;
/* Check to see if this core already own it */ /* Check to see if this core already own it */
@ -234,11 +235,12 @@ EXPORT_SYMBOL(imx_sema4_mutex_lock);
*/ */
int imx_sema4_mutex_unlock(struct imx_sema4_mutex *mutex_ptr) int imx_sema4_mutex_unlock(struct imx_sema4_mutex *mutex_ptr)
{ {
int ret = 0, i = mutex_ptr->gate_num; int ret = 0, i = 0;
if ((mutex_ptr == NULL) || (mutex_ptr->valid != CORE_MUTEX_VALID)) if ((mutex_ptr == NULL) || (mutex_ptr->valid != CORE_MUTEX_VALID))
return -EINVAL; return -EINVAL;
i = mutex_ptr->gate_num;
mutex_ptr->gate_val = readb(imx6_sema4->ioaddr + i); mutex_ptr->gate_val = readb(imx6_sema4->ioaddr + i);
mutex_ptr->gate_val &= SEMA4_GATE_MASK; mutex_ptr->gate_val &= SEMA4_GATE_MASK;
/* make sure it is locked by this core */ /* make sure it is locked by this core */
@ -271,7 +273,7 @@ static irqreturn_t imx_sema4_isr(int irq, void *dev_id)
{ {
int i; int i;
struct imx_sema4_mutex *mutex_ptr; struct imx_sema4_mutex *mutex_ptr;
u32 mask; unsigned int mask;
struct imx_sema4_mutex_device *imx6_sema4 = dev_id; struct imx_sema4_mutex_device *imx6_sema4 = dev_id;
imx6_sema4->cpntf_val = readw(imx6_sema4->ioaddr + SEMA4_CP0NTF); imx6_sema4->cpntf_val = readw(imx6_sema4->ioaddr + SEMA4_CP0NTF);

4
include/linux/imx_sema4.h
View File

@ -29,7 +29,7 @@ enum {
SEMA4_CP1NTF = 0x88, SEMA4_CP1NTF = 0x88,
}; };
static const unsigned int idx_sema4[16] = { static const unsigned int idx_sema4[SEMA4_NUM_GATES] = {
1 << 7, 1 << 6, 1 << 5, 1 << 4, 1 << 7, 1 << 6, 1 << 5, 1 << 4,
1 << 3, 1 << 2, 1 << 1, 1 << 0, 1 << 3, 1 << 2, 1 << 1, 1 << 0,
1 << 15, 1 << 14, 1 << 13, 1 << 12, 1 << 15, 1 << 14, 1 << 13, 1 << 12,
@ -52,7 +52,7 @@ struct imx_sema4_mutex_device {
int irq; int irq;
u16 alloced; u16 alloced;
struct imx_sema4_mutex *mutex_ptr[16]; struct imx_sema4_mutex *mutex_ptr[SEMA4_NUM_GATES];
}; };
struct imx_sema4_mutex * struct imx_sema4_mutex *