virtio-mmio: Fix irq parsing in command line parameter
authorPawel Moll <pawel.moll@arm.com>
Thu, 22 Nov 2012 02:00:24 +0000 (12:30 +1030)
committerRusty Russell <rusty@rustcorp.com.au>
Tue, 18 Dec 2012 04:50:41 +0000 (15:20 +1030)
When the resource_size_t is 64-bit long, the sscanf() on
the virtio device command line paramter string may return
wrong value because its format was defined as "%u". Fixed
by using an intermediate local value of a known length.

Also added cleaned up the resource creation and added extra
comments to make the parameters parsing easier to follow.

Reported-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
drivers/virtio/virtio_mmio.c

index 5a0e1d3..634f80b 100644 (file)
@@ -521,25 +521,33 @@ static int vm_cmdline_set(const char *device,
        int err;
        struct resource resources[2] = {};
        char *str;
-       long long int base;
+       long long int base, size;
+       unsigned int irq;
        int processed, consumed = 0;
        struct platform_device *pdev;
 
-       resources[0].flags = IORESOURCE_MEM;
-       resources[1].flags = IORESOURCE_IRQ;
-
-       resources[0].end = memparse(device, &str) - 1;
+       /* Consume "size" part of the command line parameter */
+       size = memparse(device, &str);
 
+       /* Get "@<base>:<irq>[:<id>]" chunks */
        processed = sscanf(str, "@%lli:%u%n:%d%n",
-                       &base, &resources[1].start, &consumed,
+                       &base, &irq, &consumed,
                        &vm_cmdline_id, &consumed);
 
-       if (processed < 2 || processed > 3 || str[consumed])
+       /*
+        * sscanf() must processes at least 2 chunks; also there
+        * must be no extra characters after the last chunk, so
+        * str[consumed] must be '\0'
+        */
+       if (processed < 2 || str[consumed])
                return -EINVAL;
 
+       resources[0].flags = IORESOURCE_MEM;
        resources[0].start = base;
-       resources[0].end += base;
-       resources[1].end = resources[1].start;
+       resources[0].end = base + size - 1;
+
+       resources[1].flags = IORESOURCE_IRQ;
+       resources[1].start = resources[1].end = irq;
 
        if (!vm_cmdline_parent_registered) {
                err = device_register(&vm_cmdline_parent);