Commit 0a46781c authored by Christophe JAILLET's avatar Christophe JAILLET Committed by Vinod Koul

dmaengine: mcf-edma: Fix a potential un-allocated memory access

When 'mcf_edma' is allocated, some space is allocated for a
flexible array at the end of the struct. 'chans' item are allocated, that is
to say 'pdata->dma_channels'.

Then, this number of item is stored in 'mcf_edma->n_chans'.

A few lines later, if 'mcf_edma->n_chans' is 0, then a default value of 64
is set.

This ends to no space allocated by devm_kzalloc() because chans was 0, but
64 items are read and/or written in some not allocated memory.

Change the logic to define a default value before allocating the memory.

Fixes: e7a3ff92 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support")
Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/f55d914407c900828f6fad3ea5fa791a5f17b9a4.1685172449.git.christophe.jaillet@wanadoo.frSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
parent a68b48af
...@@ -190,7 +190,13 @@ static int mcf_edma_probe(struct platform_device *pdev) ...@@ -190,7 +190,13 @@ static int mcf_edma_probe(struct platform_device *pdev)
return -EINVAL; return -EINVAL;
} }
chans = pdata->dma_channels; if (!pdata->dma_channels) {
dev_info(&pdev->dev, "setting default channel number to 64");
chans = 64;
} else {
chans = pdata->dma_channels;
}
len = sizeof(*mcf_edma) + sizeof(*mcf_chan) * chans; len = sizeof(*mcf_edma) + sizeof(*mcf_chan) * chans;
mcf_edma = devm_kzalloc(&pdev->dev, len, GFP_KERNEL); mcf_edma = devm_kzalloc(&pdev->dev, len, GFP_KERNEL);
if (!mcf_edma) if (!mcf_edma)
...@@ -202,11 +208,6 @@ static int mcf_edma_probe(struct platform_device *pdev) ...@@ -202,11 +208,6 @@ static int mcf_edma_probe(struct platform_device *pdev)
mcf_edma->drvdata = &mcf_data; mcf_edma->drvdata = &mcf_data;
mcf_edma->big_endian = 1; mcf_edma->big_endian = 1;
if (!mcf_edma->n_chans) {
dev_info(&pdev->dev, "setting default channel number to 64");
mcf_edma->n_chans = 64;
}
mutex_init(&mcf_edma->fsl_edma_mutex); mutex_init(&mcf_edma->fsl_edma_mutex);
mcf_edma->membase = devm_platform_ioremap_resource(pdev, 0); mcf_edma->membase = devm_platform_ioremap_resource(pdev, 0);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment