media: cxd2880-spi: avoid out-of-bounds access warning

The -Warray-bounds warning in gcc-8 triggers for a newly added file: drivers/media/spi/cxd2880-spi.c: In function 'cxd2880_write_reg': drivers/media/spi/cxd2880-spi.c:111:3: error: 'memcpy' forming offset [133, 258] is out of the bounds [0, 132] of object 'send_data' with type 'u8[132]' {aka 'unsigned char[132]'} [-Werror=array-bounds] The problem appears to be that we have two range checks in this function, first comparing against BURST_WRITE_MAX (128) and then comparing against a literal '255'. The logic checking the buffer size looks at the second one and decides that this might be the actual maximum data length. This is understandable behavior from the compiler, but the code is actually safe. Since the first check is already shorter, we can remove the loop and only leave that. To be on the safe side in case BURST_WRITE_MAX might be increased, I'm leaving the check against U8_MAX. Fixes: bd24fcdd ("media: cxd2880-spi: Add support for CXD2880 SPI interface") Cc: Martin Sebor <msebor@gmail.com> Signed-off-by: N Arnd Bergmann <arnd@arndb.de> Reviewed-by: N Yasunari Takiguchi <Yasunari.Takiguchi@sony.com> Signed-off-by: N Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

media: cxd2880-spi: avoid out-of-bounds access warning
The -Warray-bounds warning in gcc-8 triggers for a newly added file: drivers/media/spi/cxd2880-spi.c: In function 'cxd2880_write_reg': drivers/media/spi/cxd2880-spi.c:111:3: error: 'memcpy' forming offset [133, 258] is out of the bounds [0, 132] of object 'send_data' with type 'u8[132]' {aka 'unsigned char[132]'} [-Werror=array-bounds] The problem appears to be that we have two range checks in this function, first comparing against BURST_WRITE_MAX (128) and then comparing against a literal '255'. The logic checking the buffer size looks at the second one and decides that this might be the actual maximum data length. This is understandable behavior from the compiler, but the code is actually safe. Since the first check is already shorter, we can remove the loop and only leave that. To be on the safe side in case BURST_WRITE_MAX might be increased, I'm leaving the check against U8_MAX. Fixes: bd24fcdd ("media: cxd2880-spi: Add support for CXD2880 SPI interface") Cc: Martin Sebor <msebor@gmail.com> Signed-off-by: N Arnd Bergmann <arnd@arndb.de> Reviewed-by: N Yasunari Takiguchi <Yasunari.Takiguchi@sony.com> Signed-off-by: N Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
53dcd70e · Arnd Bergmann · Mauro Carvalho Chehab · 89eaaf2d · 53dcd70e
隐藏空白更改
内联并排

Showing with 7 addition and 17 deletion

drivers/media/spi/cxd2880-spi.c drivers/media/spi/cxd2880-spi.c +7 -17

未找到文件。
--- a/drivers/media/spi/cxd2880-spi.c
+++ b/drivers/media/spi/cxd2880-spi.c
@@ -88,7 +88,7 @@ static int cxd2880_write_reg(struct spi_device *spi,
 		pr_err("invalid arg\n");
 		return -EINVAL;
 	}
-	if (size > BURST_WRITE_MAX) {
+	if (size > BURST_WRITE_MAX || size > U8_MAX) {
 		pr_err("data size > WRITE_MAX\n");
 		return -EINVAL;
 	}
@@ -101,24 +101,14 @@ static int cxd2880_write_reg(struct spi_device *spi,
 	send_data[0] = 0x0e;
 	write_data_top = data;

-	while (size > 0) {
-		send_data[1] = sub_address;
-		if (size > 255)
-			send_data[2] = 255;
-		else
-			send_data[2] = (u8)size;
+	send_data[1] = sub_address;
+	send_data[2] = (u8)size;

-		memcpy(&send_data[3], write_data_top, send_data[2]);
+	memcpy(&send_data[3], write_data_top, send_data[2]);

-		ret = cxd2880_write_spi(spi, send_data, send_data[2] + 3);
-		if (ret) {
-			pr_err("write spi failed %d\n", ret);
-			break;
-		}
-		sub_address += send_data[2];
-		write_data_top += send_data[2];
-		size -= send_data[2];
-	}
+	ret = cxd2880_write_spi(spi, send_data, send_data[2] + 3);
+	if (ret)
+		pr_err("write spi failed %d\n", ret);

 	return ret;
 }