Commit 509cb7dc authored by Peter Hurley's avatar Peter Hurley Committed by Greg Kroah-Hartman

serial: 8250: Validate reg addr for Au1x00/RT288x i/o accessors

Au1x00/RT2800+ hardware has an alternate register layout which is
remapped with lookup tables by the au_serial_in()/out() i/o accessors.
However, the h/w does not support the complete 8250 register set, and
accesses to unmapped registers cause out-of-bounds lookups. Further,
because the lookup tables are defined by designated initializers, the
tables may contain unmapped entries (although the current tables do not).

Declare fixed-size lookup tables with contiguous initialization for
the complete 8250 register map; unmapped registers are initialized to -1.
Validate the register index (ie., 'offset') is in the range [0, table size).
Return fixed value for unmapped register reads and ignore unmapped register
writes.
Reported-by: default avatarMason <slash.tmp@free.fr>
Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
Tested-by: default avatarMans Rullgard <mans@mansr.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 72a33aad
...@@ -358,34 +358,46 @@ static void default_serial_dl_write(struct uart_8250_port *up, int value) ...@@ -358,34 +358,46 @@ static void default_serial_dl_write(struct uart_8250_port *up, int value)
#if defined(CONFIG_MIPS_ALCHEMY) || defined(CONFIG_SERIAL_8250_RT288X) #if defined(CONFIG_MIPS_ALCHEMY) || defined(CONFIG_SERIAL_8250_RT288X)
/* Au1x00/RT288x UART hardware has a weird register layout */ /* Au1x00/RT288x UART hardware has a weird register layout */
static const u8 au_io_in_map[] = { static const s8 au_io_in_map[8] = {
[UART_RX] = 0, 0, /* UART_RX */
[UART_IER] = 2, 2, /* UART_IER */
[UART_IIR] = 3, 3, /* UART_IIR */
[UART_LCR] = 5, 5, /* UART_LCR */
[UART_MCR] = 6, 6, /* UART_MCR */
[UART_LSR] = 7, 7, /* UART_LSR */
[UART_MSR] = 8, 8, /* UART_MSR */
-1, /* UART_SCR (unmapped) */
}; };
static const u8 au_io_out_map[] = { static const s8 au_io_out_map[8] = {
[UART_TX] = 1, 1, /* UART_TX */
[UART_IER] = 2, 2, /* UART_IER */
[UART_FCR] = 4, 4, /* UART_FCR */
[UART_LCR] = 5, 5, /* UART_LCR */
[UART_MCR] = 6, 6, /* UART_MCR */
-1, /* UART_LSR (unmapped) */
-1, /* UART_MSR (unmapped) */
-1, /* UART_SCR (unmapped) */
}; };
static unsigned int au_serial_in(struct uart_port *p, int offset) static unsigned int au_serial_in(struct uart_port *p, int offset)
{ {
offset = au_io_in_map[offset] << p->regshift; if (offset >= ARRAY_SIZE(au_io_in_map))
return __raw_readl(p->membase + offset); return UINT_MAX;
offset = au_io_in_map[offset];
if (offset < 0)
return UINT_MAX;
return __raw_readl(p->membase + (offset << p->regshift));
} }
static void au_serial_out(struct uart_port *p, int offset, int value) static void au_serial_out(struct uart_port *p, int offset, int value)
{ {
offset = au_io_out_map[offset] << p->regshift; if (offset >= ARRAY_SIZE(au_io_out_map))
__raw_writel(value, p->membase + offset); return;
offset = au_io_out_map[offset];
if (offset < 0)
return;
__raw_writel(value, p->membase + (offset << p->regshift));
} }
/* Au1x00 haven't got a standard divisor latch */ /* Au1x00 haven't got a standard divisor latch */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment