[bug report] mailbox: Introduce support for T-head TH1520 Mailbox driver

Michal Wilczynski m.wilczynski at samsung.com
Fri Nov 29 04:37:01 PST 2024



On 11/29/24 07:56, Dan Carpenter wrote:
> Hello Michal Wilczynski,

Hi Dan,

> 
> Commit 5d4d263e1c6b ("mailbox: Introduce support for T-head TH1520
> Mailbox driver") from Nov 4, 2024 (linux-next), leads to the
> following Smatch static checker warning:
> 
> drivers/mailbox/mailbox-th1520.c:535 th1520_mbox_suspend_noirq() error: buffer overflow 'ctx->intr_mask' 3 <= 3
> drivers/mailbox/mailbox-th1520.c:548 th1520_mbox_resume_noirq() error: buffer overflow 'ctx->intr_mask' 3 <= 3
> 
> drivers/mailbox/mailbox-th1520.c
>     525 static int __maybe_unused th1520_mbox_suspend_noirq(struct device *dev)
>     526 {
>     527         struct th1520_mbox_priv *priv = dev_get_drvdata(dev);
>     528         struct th1520_mbox_context *ctx = priv->ctx;
>     529         u32 i;
>     530         /*
>     531          * ONLY interrupt mask bit should be stored and restores.
>     532          * INFO data all assumed to be lost.
>     533          */
>     534         for (i = 0; i < TH_1520_MBOX_CHANS; i++) {
> --> 535                 ctx->intr_mask[i] =
> 
> The ctx->intr_mask[] array has TH_1520_MBOX_CHANS - 1 elements so this is
> memory corruption.

Thanks, yeah it seems like the array should just be bigger to accomodate
for all registers interrupt masks. This kind of slipped from the vendor
code, and I haven't noticed it. Will send a patch fixing this.

> 
>     536                         ioread32(priv->local_icu[i] + TH_1520_MBOX_MASK);
>     537         }
>     538         return 0;
>     539 }
> 
> regards,
> dan carpenter
> 



More information about the linux-riscv mailing list