[PATCH] dmaengine: ste_dma40: fix out-of-bounds access from D40_MEMCPY_MAX_CHANS
Linus Walleij
linusw at kernel.org
Tue Jun 2 01:48:05 PDT 2026
On Sun, May 31, 2026 at 11:08 PM Rosen Penev <rosenp at gmail.com> wrote:
> D40_MEMCPY_MAX_CHANS is defined as 8, but the dma40_memcpy_channels[]
> array only has 6 elements. This mismatch causes an out-of-bounds
> issue:
>
> 1. d40_of_probe() accepts up to 8 memcpy channels from DT
> (num_memcpy > D40_MEMCPY_MAX_CHANS allows 7-8), then writes them
> into the 6-element dma40_memcpy_channels[], corrupting adjacent
> stack memory.
>
> Fix by defining D40_MEMCPY_MAX_CHANS as 6 to match the array size.
>
> Fixes: a7dacb68b35a ("dmaengine: ste_dma40: Allow memcpy channels to be configured from DT")
> Assisted-by: Opencode:Big-Pickle
> Signed-off-by: Rosen Penev <rosenp at gmail.com>
Excellent find Rosen!
Reviewed-by: Linus Walleij <linusw at kernel.org>
Yours,
Linus Walleij
More information about the linux-arm-kernel
mailing list