When signed, it is possible in theory to pass a negative mfp,
and read/write outside the array bounds.
Signed-off-by: Roel Kluin <[email protected]>
---
arch/arm/plat-pxa/include/plat/mfp.h | 4 ++--
arch/arm/plat-pxa/mfp.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
I did not observe the passing of a negative mfp anywhere so this
can be considered as a cleanup. Alternatively I could introduce
a `mfp < 0' check in mfp_{read,write} instead if desired.
diff --git a/arch/arm/plat-pxa/include/plat/mfp.h b/arch/arm/plat-pxa/include/plat/mfp.h
index 22086e6..0743f4a 100644
--- a/arch/arm/plat-pxa/include/plat/mfp.h
+++ b/arch/arm/plat-pxa/include/plat/mfp.h
@@ -458,8 +458,8 @@ void __init mfp_init_addr(struct mfp_addr_map *map);
* mfp_config_lpm() - configuring all low power MFPR registers for suspend
* mfp_config_run() - configuring all run time MFPR registers after resume
*/
-unsigned long mfp_read(int mfp);
-void mfp_write(int mfp, unsigned long mfpr_val);
+unsigned long mfp_read(unsigned mfp);
+void mfp_write(unsigned mfp, unsigned long mfpr_val);
void mfp_config(unsigned long *mfp_cfgs, int num);
void mfp_config_run(void);
void mfp_config_lpm(void);
diff --git a/arch/arm/plat-pxa/mfp.c b/arch/arm/plat-pxa/mfp.c
index 9405d03..c80d0db 100644
--- a/arch/arm/plat-pxa/mfp.c
+++ b/arch/arm/plat-pxa/mfp.c
@@ -203,7 +203,7 @@ void mfp_config(unsigned long *mfp_cfgs, int num)
spin_unlock_irqrestore(&mfp_spin_lock, flags);
}
-unsigned long mfp_read(int mfp)
+unsigned long mfp_read(unsigned mfp)
{
unsigned long val, flags;
@@ -216,7 +216,7 @@ unsigned long mfp_read(int mfp)
return val;
}
-void mfp_write(int mfp, unsigned long val)
+void mfp_write(unsigned mfp, unsigned long val)
{
unsigned long flags;
On Thu, Nov 12, 2009 at 12:05 AM, Roel Kluin <[email protected]> wrote:
> When signed, it is possible in theory to pass a negative mfp,
> and read/write outside the array bounds.
>
> Signed-off-by: Roel Kluin <[email protected]>
> ---
> arch/arm/plat-pxa/include/plat/mfp.h | 4 ++--
> arch/arm/plat-pxa/mfp.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> I did not observe the passing of a negative mfp anywhere so this
> can be considered as a cleanup. Alternatively I could introduce
> a `mfp < 0' check in mfp_{read,write} instead if desired.
>
I'd prefer to have a check in mfp_{read,write} instead.
Ensure we do not read/write outside array boundaries
with a negative index.
Signed-off-by: Roel Kluin <[email protected]>
---
On 13-11-09 08:03, Eric Miao wrote:
> On Thu, Nov 12, 2009 at 12:05 AM, Roel Kluin <[email protected]> wrote:
>> When signed, it is possible in theory to pass a negative mfp,
>> and read/write outside the array bounds.
>> I did not observe the passing of a negative mfp anywhere so this
>> can be considered as a cleanup. Alternatively I could introduce
>> a `mfp < 0' check in mfp_{read,write} instead if desired.
>>
>
> I'd prefer to have a check in mfp_{read,write} instead.
ok,
diff --git a/arch/arm/plat-pxa/mfp.c b/arch/arm/plat-pxa/mfp.c
index 9405d03..be58f9f 100644
--- a/arch/arm/plat-pxa/mfp.c
+++ b/arch/arm/plat-pxa/mfp.c
@@ -207,7 +207,7 @@ unsigned long mfp_read(int mfp)
{
unsigned long val, flags;
- BUG_ON(mfp >= MFP_PIN_MAX);
+ BUG_ON(mfp < 0 || mfp >= MFP_PIN_MAX);
spin_lock_irqsave(&mfp_spin_lock, flags);
val = mfpr_readl(mfp_table[mfp].mfpr_off);
@@ -220,7 +220,7 @@ void mfp_write(int mfp, unsigned long val)
{
unsigned long flags;
- BUG_ON(mfp >= MFP_PIN_MAX);
+ BUG_ON(mfp < 0 || mfp >= MFP_PIN_MAX);
spin_lock_irqsave(&mfp_spin_lock, flags);
mfpr_writel(mfp_table[mfp].mfpr_off, val);