[lvc-project] [PATCH v1] drivers/dma/ioat/prep: don't read pq->coef out of bounds

Daniil Tatianin d-tatianin at yandex-team.ru
Mon Nov 14 17:36:35 MSK 2022


dump_pq16_desc_dbg() would access pq->coef with an index obtained with
src16_cnt_to_sw without converting it back with src16_cnt_to_hw, which
would lead to out of bounds access.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Daniil Tatianin <d-tatianin at yandex-team.ru>
---
 drivers/dma/ioat/prep.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma/ioat/prep.c b/drivers/dma/ioat/prep.c
index 033d9f2b3e2a..004b8a537b97 100644
--- a/drivers/dma/ioat/prep.c
+++ b/drivers/dma/ioat/prep.c
@@ -329,7 +329,7 @@ static void dump_pq16_desc_dbg(struct ioatdma_chan *ioat_chan,
 	for (i = 0; i < src_cnt; i++) {
 		dev_dbg(dev, "\tsrc[%d]: %#llx coef: %#x\n", i,
 			(unsigned long long) pq16_get_src(descs, i),
-			pq->coef[i]);
+			pq->coef[src16_cnt_to_hw(i)]);
 	}
 	dev_dbg(dev, "\tP: %#llx\n", pq->p_addr);
 	dev_dbg(dev, "\tQ: %#llx\n", pq->q_addr);
-- 
2.25.1




More information about the lvc-project mailing list