dmaengine: stm32-dmamux: fix a potential buffer overflow
authorPierre-Yves MORDRET <pierre-yves.mordret@st.com>
Tue, 13 Mar 2018 16:55:35 +0000 (17:55 +0100)
committerVinod Koul <vinod.koul@intel.com>
Thu, 22 Mar 2018 05:21:35 +0000 (10:51 +0530)
commit3e4543bf20531d1cdb8672d25b3f2ff6d3d07627
tree0e4ccf921f0c9f47e68e0f242596302e212e35be
parent0c8efd610b58cb23cefdfa12015799079aef94ae
dmaengine: stm32-dmamux: fix a potential buffer overflow

The bitfield dma_inuse is allocated of size dma_requests bits, thus a
valid bit address is from 0 to (dma_requests - 1).
When find_first_zero_bit() fails, it returns dma_requests as invalid
address.
Using such address for the following set_bit() is incorrect and, if
dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer
overflow.
Currently this driver is only used in DT stm32h743.dtsi where a safe value
dma_requests=16 is not triggering the buffer overflow.

Fixed by checking the return value of find_first_zero_bit() _before_
using it.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
drivers/dma/stm32-dmamux.c