On 10 December 2015 at 12:28, Alexey Klimov <alexey.kli...@arm.com> wrote:
> This patch fixes the calculation of pcc_chan for non-zero id.
> After the compiler ignores the (unsigned long) cast the
> pcc_mbox_channels pointer is type-cast and then the type-cast
> offset is added which results in address outside of the range
> leading to the kernel crashing.
>
> We might add braces and make it:
>
> pcc_chan = (struct mbox_chan *)
> ((unsigned long) pcc_mbox_channels +
> (id * sizeof(*pcc_chan)));
>
> but let's go with array approach here and use id as index.
>
> Tested on Juno board.
>
> Acked-by: Sudeep Holla <sudeep.ho...@arm.com>
> Signed-off-by: Alexey Klimov <alexey.kli...@arm.com>
> ---
> drivers/mailbox/pcc.c | 8 +-------
> 1 file changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
> index 45d85ae..8f779a1 100644
> --- a/drivers/mailbox/pcc.c
> +++ b/drivers/mailbox/pcc.c
> @@ -81,16 +81,10 @@ static struct mbox_controller pcc_mbox_ctrl = {};
> */
> static struct mbox_chan *get_pcc_channel(int id)
> {
> - struct mbox_chan *pcc_chan;
> -
> if (id < 0 || id > pcc_mbox_ctrl.num_chans)
> return ERR_PTR(-ENOENT);
>
> - pcc_chan = (struct mbox_chan *)
> - (unsigned long) pcc_mbox_channels +
> - (id * sizeof(*pcc_chan));
> -
> - return pcc_chan;
> + return &pcc_mbox_channels[id];
> }
>
Strange that we didn't catch this even with a non-zero id. But the
change makes sense so..
Acked-by: Ashwin Chaugule <ashwin.chaug...@linaro.org>
Thanks,
Ashwin.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
