Re: [PATCH] dmaengine: rcar-dmac: avoid array overflow

From: Niklas Söderlund
Date: Fri Jul 28 2017 - 12:08:18 EST


Hi Arnd,

On 2017-07-28 15:15:49 +0200, Arnd Bergmann wrote:
> Building with CONFIG_UBSAN_SANITIZE_ALL shows this warning:
>
> drivers/dma/sh/rcar-dmac.c: In function 'rcar_dmac_chan_prep_sg':
> drivers/dma/sh/rcar-dmac.c:839:29: error: array subscript is above array bounds [-Werror=array-bounds]
> desc->chcr = chcr | chcr_ts[desc->xfer_shift];
>
> As the compiler doesn't know what the xfer_size is, it is impossible
> to rule out the array overflow here. As we know that xfer_size
> can only be within enum dma_slave_buswidth, this will not overflow
> for correct users, and adding a range check will handle the
> obscure case and shut up the warning.
>
> Fixes: 87244fe5abdf ("dmaengine: rcar-dmac: Add Renesas R-Car Gen2 DMA Controller (DMAC) driver")
> Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>

Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@xxxxxxxxxxxx>

> ---
> drivers/dma/sh/rcar-dmac.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
> index ffcadca53243..f5b28eb4009e 100644
> --- a/drivers/dma/sh/rcar-dmac.c
> +++ b/drivers/dma/sh/rcar-dmac.c
> @@ -836,7 +836,8 @@ static void rcar_dmac_chan_configure_desc(struct rcar_dmac_chan *chan,
> }
>
> desc->xfer_shift = ilog2(xfer_size);
> - desc->chcr = chcr | chcr_ts[desc->xfer_shift];
> + if (desc->xfer_shift < ARRAY_SIZE(chcr_ts))
> + desc->chcr = chcr | chcr_ts[desc->xfer_shift];
> }
>
> /*
> --
> 2.9.0
>

--
Regards,
Niklas Söderlund