Re: [PATCH 2/3] soc: renesas: Add Renesas R-Car MFIS driver

Next message: Bean Huo: "Re: [PATCH v4 10/12] scsi: ufs: ufs-qcom: Implement vops get_rx_fom()"
Previous message: Marc Zyngier: "Re: [PATCH] tracing: Adjust cmd_check_undefined to show unexpected undefined symbols"
In reply to: Geert Uytterhoeven: "Re: [PATCH 2/3] soc: renesas: Add Renesas R-Car MFIS driver"
Next in thread: Geert Uytterhoeven: "Re: [PATCH 2/3] soc: renesas: Add Renesas R-Car MFIS driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wolfram Sang

Date: Mon Mar 23 2026 - 05:29:43 EST

> > > > + if (priv->info->mb_reg_comes_from_dt) {
> > > > + tx_uses_eicr = chan_flags & MFIS_CHANNEL_EICR;
> > > > + if (tx_uses_eicr)
> > > > + chan += mbox->num_chans / 2;
> > > > + } else {
> > > > + tx_uses_eicr = priv->info->mb_tx_uses_eicr;
> > > > + }
> > >
> > > "chan - mbox->chans" is the logical channel number, and should be
> > > validated against mbox_num_chans, to avoid out-of-bound accesses.
> >
> > "chan - ..."? You mean "chan + ..."?
>
> No, I did mean "-": you do have a pointer "chan" to the channel,
> instead of an index into the mbox->chans[] array.
> Using a index would make validation easier to read, though.

Sorry, I still don't get it: If 'chan_num' has been sanitized above to
be in the range of 0..priv->info->mb_num_channels - 1, then how can a
OOB happen here? "chan += mbox->num_chans / 2" only happens when
'mb_reg_comes_from_dt' is set. But when it is set, the array of chans is
also always doubled to have the "<n> IICR, then <n> EICR" layout.

Attachment: signature.asc
Description: PGP signature