From 3d9ea9e3af048ab6b8dced15248384e548ba05ea Mon Sep 17 00:00:00 2001 From: Don Morris Date: Thu, 15 Mar 2012 11:07:30 -0700 Subject: [PATCH] iop-adma: Corrected array overflow in RAID6 Xscale(R) test. Bug: cppcheck reported overflow in array assignment (for loop walks 0 to IOP_ADMA_NUM_SRC_TEST+2, array size is IOP_ADMA_NUM_SRC_TEST). Reported as: https://bugzilla.kernel.org/show_bug.cgi?id=42677 Test code pq_src array was grown by two elements to correspond with actual usage (IOP_ADMA_NUM_SRC_TEST+2), stack consumption was kept constant by modifying the pq_dest two element array which is only used when pq_src is referenced up to IOP_ADMA_NUM_SRC_TEST elements into the address of the new last two elements of the pq_src array. This is presumed to be the original intent but would be reliant on compilers always having pq_dest contiguous with the final element of pq_src. Note: This is a re-send of a request for review from two weeks ago. Looking for review (or shootdown), adding LKML to list for a wider audience. Thanks. Updated per review comments of Sergei Shtylyov Signed-off-by: Don Morris Signed-off-by: Dan Williams --- drivers/dma/iop-adma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma/iop-adma.c b/drivers/dma/iop-adma.c index 04be90b645b8..9b1951df5c20 100644 --- a/drivers/dma/iop-adma.c +++ b/drivers/dma/iop-adma.c @@ -1271,8 +1271,8 @@ iop_adma_pq_zero_sum_self_test(struct iop_adma_device *device) struct page **pq_hw = &pq[IOP_ADMA_NUM_SRC_TEST+2]; /* address conversion buffers (dma_map / page_address) */ void *pq_sw[IOP_ADMA_NUM_SRC_TEST+2]; - dma_addr_t pq_src[IOP_ADMA_NUM_SRC_TEST]; - dma_addr_t pq_dest[2]; + dma_addr_t pq_src[IOP_ADMA_NUM_SRC_TEST+2]; + dma_addr_t *pq_dest = &pq_src[IOP_ADMA_NUM_SRC_TEST]; int i; struct dma_async_tx_descriptor *tx; -- 2.34.1