projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4d4f813)
wil6210: fix memory access violation in wil_memcpy_from/toio_32
authorDedy Lansky <qca_dlansky@qca.qualcomm.com>
Wed, 5 Apr 2017 11:58:11 +0000 (14:58 +0300)
committerKalle Valo <kvalo@qca.qualcomm.com>
Thu, 13 Apr 2017 12:46:12 +0000 (15:46 +0300)
In case count is not multiple of 4, there is a read access in
wil_memcpy_toio_32() from outside src buffer boundary.
In wil_memcpy_fromio_32(), in case count is not multiple of 4, there is
a write access to outside dst io memory boundary.

Fix these issues with proper handling of the last 1 to 4 copied bytes.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
drivers/net/wireless/ath/wil6210/main.c patch | blob | blame | history

diff --git a/drivers/net/wireless/ath/wil6210/main.c b/drivers/net/wireless/ath/wil6210/main.c
index 9aa81ce895b3ec5de71a0b1e465031f46db0b06e..439d27c3aeae04f3da43279e588800f66eb9f142 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/main.c
+++ b/drivers/net/wireless/ath/wil6210/main.c
@@ -130,9 +130,15 @@ void wil_memcpy_fromio_32(void *dst, const volatile void __iomem *src,
        u32 *d = dst;
        const volatile u32 __iomem *s = src;
 
-       /* size_t is unsigned, if (count%4 != 0) it will wrap */
-       for (count += 4; count > 4; count -= 4)
+       for (; count >= 4; count -= 4)
                *d++ = __raw_readl(s++);
+
+       if (unlikely(count)) {
+               /* count can be 1..3 */
+               u32 tmp = __raw_readl(s);
+
+               memcpy(d, &tmp, count);
+       }
 }
 
 void wil_memcpy_fromio_halp_vote(struct wil6210_priv *wil, void *dst,
@@ -149,8 +155,16 @@ void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src,
        volatile u32 __iomem *d = dst;
        const u32 *s = src;
 
-       for (count += 4; count > 4; count -= 4)
+       for (; count >= 4; count -= 4)
                __raw_writel(*s++, d++);
+
+       if (unlikely(count)) {
+               /* count can be 1..3 */
+               u32 tmp = 0;
+
+               memcpy(&tmp, s, count);
+               __raw_writel(tmp, d);
+       }
 }
 
 void wil_memcpy_toio_halp_vote(struct wil6210_priv *wil,