[bug report] soundwire: qcom: Check device status before reading devid
Dan Carpenter
dan.carpenter at oracle.com
Fri Jul 8 10:08:14 CEST 2022
Hello Srinivas Kandagatla,
The patch aa1262ca6695: "soundwire: qcom: Check device status before
reading devid" from Jul 6, 2022, leads to the following Smatch static
checker warning:
drivers/soundwire/qcom.c:484 qcom_swrm_enumerate()
error: buffer overflow 'ctrl->status' 11 <= 11
drivers/soundwire/qcom.c
471 static int qcom_swrm_enumerate(struct sdw_bus *bus)
472 {
473 struct qcom_swrm_ctrl *ctrl = to_qcom_sdw(bus);
474 struct sdw_slave *slave, *_s;
475 struct sdw_slave_id id;
476 u32 val1, val2;
477 bool found;
478 u64 addr;
479 int i;
480 char *buf1 = (char *)&val1, *buf2 = (char *)&val2;
481
482 for (i = 1; i <= SDW_MAX_DEVICES; i++) {
^^^^^
This a loop that starts from 1 instead of 0. I looked at the
surrounding context and it seems like it should be a normal loop that
starts at 0 and goes to < SDW_MAX_DEVICES.
(Or possibly the other loops are buggy as well).
483 /* do not continue if the status is Not Present */
--> 484 if (!ctrl->status[i])
So this is off by one and reads one element beyond the end of the loop.
485 continue;
486
487 /*SCP_Devid5 - Devid 4*/
488 ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_1(i), &val1);
489
490 /*SCP_Devid3 - DevId 2 Devid 1 Devid 0*/
491 ctrl->reg_read(ctrl, SWRM_ENUMERATOR_SLAVE_DEV_ID_2(i), &val2);
492
493 if (!val1 && !val2)
494 break;
495
496 addr = buf2[1] | (buf2[0] << 8) | (buf1[3] << 16) |
497 ((u64)buf1[2] << 24) | ((u64)buf1[1] << 32) |
498 ((u64)buf1[0] << 40);
499
500 sdw_extract_slave_id(bus, addr, &id);
501 found = false;
502 /* Now compare with entries */
503 list_for_each_entry_safe(slave, _s, &bus->slaves, node) {
504 if (sdw_compare_devid(slave, id) == 0) {
505 qcom_swrm_set_slave_dev_num(bus, slave, i);
506 found = true;
507 break;
508 }
509 }
510
511 if (!found) {
512 qcom_swrm_set_slave_dev_num(bus, NULL, i);
513 sdw_slave_add(bus, &id, NULL);
514 }
515 }
516
517 complete(&ctrl->enumeration);
518 return 0;
519 }
regards,
dan carpenter
More information about the Alsa-devel
mailing list