The wrong test was used, gpio is unsigned.
Signed-off-by: Roel Kluin <[email protected]>
---
diff --git a/drivers/gpio/langwell_gpio.c b/drivers/gpio/langwell_gpio.c
index 5711ce5..0d0cbc0 100644
--- a/drivers/gpio/langwell_gpio.c
+++ b/drivers/gpio/langwell_gpio.c
@@ -123,8 +123,11 @@ static int lnw_irq_type(unsigned irq, unsigned type)
void __iomem *grer = (void __iomem *)(&lnw->reg_base->GRER[reg]);
void __iomem *gfer = (void __iomem *)(&lnw->reg_base->GFER[reg]);
- if (gpio < 0 || gpio > lnw->chip.ngpio)
+ if (irq < lnw->irq_base || gpio > lnw->chip.ngpio ||
+ reg >= ARRAY_SIZE(lnw->reg_base->GRER)
+ reg >= ARRAY_SIZE(lnw->reg_base->GFER))
return -EINVAL;
+
spin_lock_irqsave(&lnw->lock, flags);
if (type & IRQ_TYPE_EDGE_RISING)
value = readl(grer) | BIT(gpio % 32);
On Mon, 12 Oct 2009 16:12:40 +0200
Roel Kluin <[email protected]> wrote:
> The wrong test was used, gpio is unsigned.
>
> Signed-off-by: Roel Kluin <[email protected]>
> ---
> diff --git a/drivers/gpio/langwell_gpio.c b/drivers/gpio/langwell_gpio.c
> index 5711ce5..0d0cbc0 100644
> --- a/drivers/gpio/langwell_gpio.c
> +++ b/drivers/gpio/langwell_gpio.c
> @@ -123,8 +123,11 @@ static int lnw_irq_type(unsigned irq, unsigned type)
> void __iomem *grer = (void __iomem *)(&lnw->reg_base->GRER[reg]);
> void __iomem *gfer = (void __iomem *)(&lnw->reg_base->GFER[reg]);
>
> - if (gpio < 0 || gpio > lnw->chip.ngpio)
> + if (irq < lnw->irq_base || gpio > lnw->chip.ngpio ||
> + reg >= ARRAY_SIZE(lnw->reg_base->GRER)
> + reg >= ARRAY_SIZE(lnw->reg_base->GFER))
> return -EINVAL;
> +
> spin_lock_irqsave(&lnw->lock, flags);
> if (type & IRQ_TYPE_EDGE_RISING)
> value = readl(grer) | BIT(gpio % 32);
Makes the code unfortunately complex. It'd be better to make `gpio' a
signed quantity, or even..
--- a/drivers/gpio/langwell_gpio.c~gpio-fix-test-on-unsigned-in-lnw_irq_type
+++ a/drivers/gpio/langwell_gpio.c
@@ -123,7 +123,7 @@ static int lnw_irq_type(unsigned irq, un
void __iomem *grer = (void __iomem *)(&lnw->reg_base->GRER[reg]);
void __iomem *gfer = (void __iomem *)(&lnw->reg_base->GFER[reg]);
- if (gpio < 0 || gpio > lnw->chip.ngpio)
+ if ((s32)gpio < 0 || gpio > lnw->chip.ngpio)
return -EINVAL;
spin_lock_irqsave(&lnw->lock, flags);
if (type & IRQ_TYPE_EDGE_RISING)
_
The wrong test was used, gpio is unsigned. Also lnw->chip.ngpio is
set to 64, so if gpio equals that, then reg (= gpio / 32) becomes 2,
an index out of bounds for GRER and GFER that have 2 elements.
Signed-off-by: Roel Kluin <[email protected]>
---
>>>> From: Andrew Morton [mailto:[email protected]]
>>>>> - if (gpio < 0 || gpio > lnw->chip.ngpio)
>>>>> + if (gpio > lnw->chip.ngpio)
>>>>> return -EINVAL;
>>>>
>>>> Should that be >= ?
> Oh, my bad. Andrew is right, should be >=...
Ok, how about this then?
diff --git a/drivers/gpio/langwell_gpio.c b/drivers/gpio/langwell_gpio.c
index 5711ce5..72af3fc 100644
--- a/drivers/gpio/langwell_gpio.c
+++ b/drivers/gpio/langwell_gpio.c
@@ -123,7 +123,7 @@ static int lnw_irq_type(unsigned irq, unsigned type)
void __iomem *grer = (void __iomem *)(&lnw->reg_base->GRER[reg]);
void __iomem *gfer = (void __iomem *)(&lnw->reg_base->GFER[reg]);
- if (gpio < 0 || gpio > lnw->chip.ngpio)
+ if (gpio >= lnw->chip.ngpio)
return -EINVAL;
spin_lock_irqsave(&lnw->lock, flags);
if (type & IRQ_TYPE_EDGE_RISING)
>-----Original Message-----
>From: Roel Kluin [mailto:[email protected]]
>Sent: Thursday, October 15, 2009 1:17 AM
>To: Du, Alek; Andrew Morton; LKML
>Subject: Re: [PATCH] gpio: Fix test on unsigned in lnw_irq_type()
>
>The wrong test was used, gpio is unsigned. Also lnw->chip.ngpio is
>set to 64, so if gpio equals that, then reg (= gpio / 32) becomes 2,
>an index out of bounds for GRER and GFER that have 2 elements.
>
>Signed-off-by: Roel Kluin <[email protected]>
>---
>>>>> From: Andrew Morton [mailto:[email protected]]
>>>>>> - if (gpio < 0 || gpio > lnw->chip.ngpio)
>>>>>> + if (gpio > lnw->chip.ngpio)
>>>>>> return -EINVAL;
>>>>>
>>>>> Should that be >= ?
>
>> Oh, my bad. Andrew is right, should be >=...
>
>Ok, how about this then?
>
>diff --git a/drivers/gpio/langwell_gpio.c b/drivers/gpio/langwell_gpio.c
>index 5711ce5..72af3fc 100644
>--- a/drivers/gpio/langwell_gpio.c
>+++ b/drivers/gpio/langwell_gpio.c
>@@ -123,7 +123,7 @@ static int lnw_irq_type(unsigned irq, unsigned type)
> void __iomem *grer = (void __iomem *)(&lnw->reg_base->GRER[reg]);
> void __iomem *gfer = (void __iomem *)(&lnw->reg_base->GFER[reg]);
>
>- if (gpio < 0 || gpio > lnw->chip.ngpio)
>+ if (gpio >= lnw->chip.ngpio)
> return -EINVAL;
> spin_lock_irqsave(&lnw->lock, flags);
> if (type & IRQ_TYPE_EDGE_RISING)
Acked-by: Alek Du <[email protected]>