diff options
| author | Dedy Lansky <dlansky@codeaurora.org> | 2017-03-28 21:25:42 +0300 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-03-29 23:00:32 -0700 |
| commit | 98b0bcfa6c2ab8b4b4d5a88db5bde381bec22fe0 (patch) | |
| tree | 8788fa9e9049846cdcf55ac1aadb7751c910d4b1 /drivers | |
| parent | 4166896b94303a3f8952d9af6f06fdb7a2b1b45d (diff) | |
wil6210: fix memory access violation in wil_memcpy_from/toio_32
In case count is not multiple of 4, there is a read access in
wil_memcpy_toio_32() from outside src buffer boundary.
In wil_memcpy_fromio_32(), in case count is not multiple of 4, there
is a write access to outside dst io memory boundary.
Fix these issues with proper handling of the last 1 to 4 copied bytes.
Change-Id: Iff7853bc4803a01449ddcee996a54a0dccc1db1a
Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/ath/wil6210/main.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c index 958c96b75fbb..01a27335ec34 100644 --- a/drivers/net/wireless/ath/wil6210/main.c +++ b/drivers/net/wireless/ath/wil6210/main.c @@ -130,9 +130,15 @@ void wil_memcpy_fromio_32(void *dst, const volatile void __iomem *src, u32 *d = dst; const volatile u32 __iomem *s = src; - /* size_t is unsigned, if (count%4 != 0) it will wrap */ - for (count += 4; count > 4; count -= 4) + for (; count >= 4; count -= 4) *d++ = __raw_readl(s++); + + if (unlikely(count)) { + /* count can be 1..3 */ + u32 tmp = __raw_readl(s); + + memcpy(d, &tmp, count); + } } void wil_memcpy_fromio_halp_vote(struct wil6210_priv *wil, void *dst, @@ -149,8 +155,16 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src, volatile u32 __iomem *d = dst; const u32 *s = src; - for (count += 4; count > 4; count -= 4) + for (; count >= 4; count -= 4) __raw_writel(*s++, d++); + + if (unlikely(count)) { + /* count can be 1..3 */ + u32 tmp = 0; + + memcpy(&tmp, s, count); + __raw_writel(tmp, d); + } } void wil_memcpy_toio_halp_vote(struct wil6210_priv *wil, |