Re: [PATCH] mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()

From: Nishanth Menon
Date: Mon Dec 03 2018 - 10:52:10 EST

Next message: Tycho Andersen: "Re: [PATCH v9 3/4] seccomp: add a return code to trap to userspace"
Previous message: Chen-Yu Tsai: "Re: [PATCH v2 00/15] ARM: sunxi: Enable Broadcom-based Bluetooth controllers"
In reply to: Dan Carpenter: "[PATCH] mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17:50-20181203, Dan Carpenter wrote:
> The > comparison should be >= or we access one element beyond the end
> of the array.
>
> (The inst->qinsts[] array is allocated in the ti_msgmgr_probe() function
> and it has ->num_valid_queues elements.)
>
> Fixes: a2b79838b891 ("mailbox: ti-msgmgr: Add support for Secure Proxy")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/mailbox/ti-msgmgr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/mailbox/ti-msgmgr.c b/drivers/mailbox/ti-msgmgr.c
> index 713d701b6568..6f6addd51d14 100644
> --- a/drivers/mailbox/ti-msgmgr.c
> +++ b/drivers/mailbox/ti-msgmgr.c
> @@ -547,7 +547,7 @@ static struct mbox_chan *ti_msgmgr_of_xlate(struct mbox_controller *mbox,
> }
>
> if (d->is_sproxy) {
> - if (req_pid > d->num_valid_queues)
> + if (req_pid >= d->num_valid_queues)
> goto err;
> qinst = &inst->qinsts[req_pid];
> return qinst->chan;
> --
> 2.11.0
>

OOpps.. Thanks for catching it.

Acked-by: Nishanth Menon <nm@xxxxxx>

--
Regards,
Nishanth Menon

Next message: Tycho Andersen: "Re: [PATCH v9 3/4] seccomp: add a return code to trap to userspace"
Previous message: Chen-Yu Tsai: "Re: [PATCH v2 00/15] ARM: sunxi: Enable Broadcom-based Bluetooth controllers"
In reply to: Dan Carpenter: "[PATCH] mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]