From patchwork Mon Apr 14 07:42:01 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Heinrich Schuchardt <xypron.glpk@gmx.de>
X-Patchwork-Id: 3977371
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id E4AC79F2CC
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Mon, 14 Apr 2014 07:44:32 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 2AAEA201D3
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Mon, 14 Apr 2014 07:44:32 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 5D8D7201CE
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Mon, 14 Apr 2014 07:44:31 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WZbXM-0001ff-8K; Mon, 14 Apr 2014 07:42:40 +0000
Received: from mout.gmx.net ([212.227.17.20])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1WZbXI-00019n-K1
	for linux-arm-kernel@lists.infradead.org;
	Mon, 14 Apr 2014 07:42:37 +0000
Received: from Workstation4.fritz.box ([95.222.189.117]) by mail.gmx.com
	(mrgmx002) with ESMTPSA (Nemesis) id 0LptId-1XDKOV1mit-00fhhW;
	Mon, 14 Apr 2014 09:42:08 +0200
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: arm@kernel.org
Subject: [PATCH 1/1] arm/mach-vexpress: array accessed out of bounds
Date: Mon, 14 Apr 2014 09:42:01 +0200
Message-Id: <1397461321-7108-1-git-send-email-xypron.glpk@gmx.de>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <alpine.LFD.2.11.1404131337580.980@knanqh.ubzr>
References: <alpine.LFD.2.11.1404131337580.980@knanqh.ubzr>
X-Provags-ID: V03:K0:qzRFeeF9RS+p7MmNWZSd8DGhHrd2yDOvqS+aam+Zhrc8KvjR/Vn
	qW9pPPxmd4rVXVvHGJsLiNgYzh9XEGggWkarwjMfiow/u+drMGksatVBaYUSZwoHNL0o6AE
	G9hsTtWtdG8mBlyfn/geM9kvoyrAgLMU7bch8Zham+O4RbKqC9ARf1BSAkkZogaxIy5Ngks
	Cg6l9f8ghJU8ar2Y6FL1w==
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20140414_004236_989644_3607F0C6 
X-CRM114-Status: GOOD (  10.40  )
X-Spam-Score: 0.0 (/)
Cc: nicolas.pitre@linaro.org, Heinrich Schuchardt <xypron.glpk@gmx.de>,
	linux-arm-kernel@lists.infradead.org
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

(Forwarding to arm@kernel.org)

dcscb_allcpus_mask is an array of size 2.

The index variable cluster has to be checked against this limit
before accessing the array.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Nicolas Pitre <nico@linaro.org>
---
 arch/arm/mach-vexpress/dcscb.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/arch/arm/mach-vexpress/dcscb.c b/arch/arm/mach-vexpress/dcscb.c
index 16d57a8..a76b44c 100644
--- a/arch/arm/mach-vexpress/dcscb.c
+++ b/arch/arm/mach-vexpress/dcscb.c
@@ -51,12 +51,14 @@ static int dcscb_allcpus_mask[2];
 static int dcscb_power_up(unsigned int cpu, unsigned int cluster)
 {
 	unsigned int rst_hold, cpumask = (1 << cpu);
-	unsigned int all_mask = dcscb_allcpus_mask[cluster];
+	unsigned int all_mask;
 
 	pr_debug("%s: cpu %u cluster %u\n", __func__, cpu, cluster);
 	if (cpu >= 4 || cluster >= 2)
 		return -EINVAL;
 
+	all_mask = dcscb_allcpus_mask[cluster];
+
 	/*
 	 * Since this is called with IRQs enabled, and no arch_spin_lock_irq
 	 * variant exists, we need to disable IRQs manually here.
@@ -101,11 +103,12 @@ static void dcscb_power_down(void)
 	cpu = MPIDR_AFFINITY_LEVEL(mpidr, 0);
 	cluster = MPIDR_AFFINITY_LEVEL(mpidr, 1);
 	cpumask = (1 << cpu);
-	all_mask = dcscb_allcpus_mask[cluster];
 
 	pr_debug("%s: cpu %u cluster %u\n", __func__, cpu, cluster);
 	BUG_ON(cpu >= 4 || cluster >= 2);
 
+	all_mask = dcscb_allcpus_mask[cluster];
+
 	__mcpm_cpu_going_down(cpu, cluster);
 
 	arch_spin_lock(&dcscb_lock);